Our Approach to Vulnerability Disclosure
Disclosure of security vulnerabilities is a controversial topic. On the one hand, the “No Disclosure” position argues that publishing vulnerabilities provides bad actors with instruction manuals for attacks. On the other hand, the Full Disclosure movement argues that knowledge of security vulnerabilities allows the public to exercise caution and protect themselves while encouraging security patches.
Understanding Responsible and Cooperative Vulnerability Disclosure
When it comes to IT security, the debate has converged around a set of compromises called “Responsible Disclosure” and “Cooperative Vulnerability Disclosure”. Both advocate disclosing the vulnerability with an embargo and some time for security patches to be deployed to affected systems. Variants of responsible disclosure with strict deadlines have been adopted by leading security research institutes, such as Carnegie Mellon University’s CERT/CC and Google’s Project Zero, and have been adopted as the international standard ISO/IEC 29147:2018.
Challenges in Blockchain Vulnerability Disclosure
Disclosure of security vulnerabilities in blockchain technologies is further complicated by the fact that cryptocurrencies are not simple decentralized data processing systems. Their value as digital assets stems from both the digital security of the network and public trust in the system. While their digital security can be attacked using CRQCs, public trust can also be undermined through fear, uncertainty, and doubt (FUD) techniques. Therefore, unscientific and unsubstantiated estimates of the resources of quantum algorithms breaking ECDLP-256 may themselves represent an attack on the system.
Our Methodology in Quantum Attack Disclosure
These considerations guide our careful disclosure of updated resource estimates for quantum attacks on blockchain technology based on elliptic curve cryptography. First, we reduce the FUD potential of our discussion by clarifying areas in which blockchains are immune to quantum attacks and highlighting the progress already made toward post-quantum blockchain security. Second, we justify our resource estimates without sharing the underlying quantum circuits by releasing a state-of-the-art cryptographic construct called a zero-knowledge proof, which allows third parties to verify our claims without us disclosing sensitive details about the attack.
Commitment to Collaboration and Future Standards
We support continued discussions with the quantum, security, cryptocurrency, and policy communities to align with responsible disclosure standards in the future. Our efforts aim to balance transparency with security, ensuring that stakeholders are informed and prepared while not compromising the integrity of the systems we strive to protect.
For more information, you can read the full details Here.
“`
