The discourse surrounding the disclosure of security vulnerabilities continues to ignite debate among experts in the field. Advocates of the “No Disclosure” stance argue that exposing vulnerabilities can equip malicious actors with essential information to orchestrate attacks. Conversely, proponents of the “Full Disclosure” movement contend that publicly sharing knowledge of security vulnerabilities empowers individuals to take precautions and protects them while also motivating security updates from companies.
In the realm of computer security, these divergent viewpoints have led to the emergence of intermediate approaches, primarily known as “Responsible Disclosure” and “Coordinated Vulnerability Disclosure.” These frameworks advocate for disclosing vulnerabilities with a designated embargo period, allowing time for affected systems to implement necessary security fixes. Notable organizations such as CERT/CC at Carnegie Mellon University and Google’s Project Zero have adopted specific variants of Responsible Disclosure, which feature strict deadlines. Moreover, these practices have been formalized as an international standard with the ISO/IEC 29147:2018.
When it comes to blockchain technologies, the complexity of vulnerability disclosure increases substantially. Unlike typical decentralized data processing systems, cryptocurrencies possess intrinsic value as digital assets that relies not only on the digital security of their networks but also on public trust. This trust can be eroded through fear, uncertainty, and doubt (FUD) tactics. For instance, unverified projections regarding the capabilities of quantum algorithms to breach the Elliptic Curve Discrete Logarithm Problem (ECDLP-256) can act as a form of attack against these systems.
In light of these challenges, a prudent approach is warranted when releasing updated estimates regarding quantum threats to blockchain technology that uses elliptic curve cryptography. The first step involves mitigating potential FUD by elucidating areas of blockchain resilience against quantum attacks and emphasizing advancements made toward establishing post-quantum security. The second step is to substantiate resource estimates without disclosing sensitive quantum circuit details. This is achieved through the publishing of a cutting-edge cryptographic construction known as a “zero-knowledge proof.” This tool permits independent parties to verify claims while keeping sensitive information secure.
The organization expresses its intention to engage in further dialogue with stakeholders from the quantum, security, cryptocurrency, and policy sectors. The goal is to establish clear norms for responsible disclosure in the evolving landscape of cybersecurity, particularly in the context of emerging quantum technologies.
