[up-to-grabs] add a security.md (was #772)

[ariard]

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

[up-to-grabs] add a security.md re-#772

Now CVE-2025-27586 is out and the problem with "block signature overflow" have been posted too, all the major lightning stuff that was still under my sleeves should have been out now. It has been ~18 months since RCA full disclosure, though now I can definitively transition out of lightning dev.

I still think it would be great for the project to have a security reporting policy for all protocol-level vulnerabilities. I pray we have caught a lot of the cross-layer vulnerabilities with the base-layer, though it's not something we can never be sure off. #772 was a good start for basic policy e.g 2 people per major implementation. I don't know if we nominate for this kind of role to take responsibility from, but I think @t-bast or @cdecker are good names.

I was already out doing anything technically substantial on the lightning-side since a while, though I'll also abstrain myself now to not investigate novel lightning security stuff. After thinking a lot on this matter, and while I might be one of the only dev taking deontology seriously, I think this can only be a source of ethical issues due to the fact that CKC and myself have attended the same 2019 chaincode residency. Based on my pre-bitcoin professional experience and the sense of ethics hardly learnt there, I've always strictly and intentionally kept her away from security info over the last 5 years to minimize the risks of ethical issues to be sure I always preserve the objectivity of my judgement there I'm starting to encroach on that boundary, and I shouldn't.

About ethics, the "apparence" matters too, and given I've already have to swept that kind of situations for some vulns on the bitcoin core side due to a pair of devs in 2021, I'm very mindful about that kind of situations. It will make also more room for her, if she wishes to work on all parts of the LN stack. For me slashing my LN career is no problem, I was already successful in my pre-bitcoin technological career.

Do not blame, we didn't hire ourselves to the 2019 residency.

Antoine Louis Riard 0000000000000000000226739647ba400cce0aea29c462c71c31f00dc9dc4801 -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEpaaGjXqpHdAKwaZ/gX/6Ao72HJQFAmhMiw0ACgkQgX/6Ao72 HJQjqxAAkWbASXGrOBm71JVVvfDG7+6kxcGFGL0jBX/kJeoI7AZPXWLTq4/C5nsA WtBru/di3j1S0Z1WOp3sIw16kz2ekfQULkcVjVNLVDzXWQtFu3DFiopk5k2m6FDc pAXhagSHTcqMGTyfBD6lXYweJiA7IwI/dqNpgVh8lU6U7IZYgYKX8BjFkebXiAwn QAZBLu1U83ce5GavrId1u6J1FrLRJyKNnbZShDz/D9UjMIpvViZ+b8+4Steug2Wz +I7YtTLetEOEok29wxxDRAKHs3dhsJE3lJzhY19hQu8V0DkGOZUfJBV5kBTvdj1H ZNIYdmK2yDilVaGNJmswkuGeCYF+xVFArg3N0nn3lT/nqzyBktKEZAkeX1r/RqpE UwtgnWbHq+J4tnMFbwDzuOASrkOTHaiftjzX1y3C8Jim1QV3Q+upOGQAjEJNvz8S UIkb5z+Yn13g6a9fiwA3OVWYLub6c/ZihbfFa0pFG1zNQ39uFpXp8Bsa+yMrIgOd IAh40a7EtFDIK7q1+GmsDJqFQ/Lim8yRo6Uc8qLisIlRHGiFn00eLB9qDw9S0XH/ 7QSwuvBoE76eSSA61UfziJ8C101imZ0aOFafi/JAOZ6UvuTbdfW1Mn2MKS160RVO lKnjEmrvice1smJixAINcuD+D2JsFfY62SA60c+Z53T4a7hKc58= =x725 -----END PGP SIGNATURE-----