Bitcoin Core is a security-critical project. This document outlines our security policy, how to report vulnerabilities, and references to additional security resources.

For comprehensive security and privacy practices, please see SECURITY_PRACTICES.md.

See our website for versions of Bitcoin Core that are currently supported with security updates: https://bitcoincore.org/en/lifecycle/#schedule

To report security issues send an email to security@bitcoincore.org (not for support).

Do not open public GitHub issues for security vulnerabilities.

When reporting a security vulnerability, please include:

• Description of the vulnerability and its potential impact
• Steps to reproduce the issue
• Affected versions (if known)
• Any potential mitigations or workarounds you've identified
• Your contact information for follow-up questions

1. Acknowledgment: We aim to acknowledge receipt within 48 hours
2. Assessment: Our security team will assess the vulnerability
3. Updates: We'll keep you informed of our progress
4. Resolution: Once fixed, we'll coordinate disclosure timing with you
5. Credit: We acknowledge security researchers who report valid issues

The following keys may be used to communicate sensitive information to developers:

You can import a key by running the following command with that individual's fingerprint:

gpg --keyserver hkps://keys.openpgp.org --recv-keys "<fingerprint>"

Ensure that you put quotes around fingerprints containing spaces.

1. Review SECURITY_PRACTICES.md for detailed security guidance
2. Check .gitignore to understand what files should never be committed
3. Never commit sensitive data: private keys, API tokens, credentials, or wallet files
4. Use secure authentication: Employ environment variables for secrets, never hardcode them

1. Keep dependencies updated: Regularly check for security updates
2. Run security scans: Use available security scanning tools
3. Review code carefully: Every change is security-critical
4. Test thoroughly: Ensure your changes don't introduce vulnerabilities
5. Follow safe git practices: Review all changes before committing

• Never commit tokens to git: Use environment variables or secure credential stores
• Rotate credentials regularly: Update tokens and keys periodically
• Use minimal permissions: Grant only the permissions required for your task
• Secure local configuration: Keep settings.xml, ~/.m2/, and similar files secure

See SECURITY_PRACTICES.md for detailed guidance on:

• Maven/GitHub Packages authentication
• GitHub Actions security
• Privacy considerations
• Safe publishing workflows

• CONTRIBUTING.md - General contribution guidelines
• SECURITY_PRACTICES.md - Comprehensive security and privacy practices
• Bitcoin Core Security - Past security advisories

The following files and directories are automatically excluded from version control to protect sensitive data:

• Private keys (*.pem, *.key, id_rsa, etc.)
• Wallet files (wallet.dat, *.wallet, etc.)
• Configuration files (bitcoin.conf, settings.json, etc.)
• API keys and tokens
• Environment files (.env, .env.local, etc.)
• Build artifacts and temporary files

Review .gitignore for the complete list of excluded patterns.

• Security Issues: security@bitcoincore.org
• General Support: See https://bitcoincore.org for support channels
• Project Website: https://bitcoincore.org