Security

Reporting bugs and vulnerabilities.

Bitcoin Ghost is decentralised software — there's no company to phone, no support desk, no SLA. Bugs and vulnerabilities are handled transparently on GitHub. Where a disclosure needs to stay private until a fix ships, use GitHub's private advisory flow.

Open an issue → Private advisory

how to report

Three paths, depending on what you found.

Pick the channel that matches the nature of the issue. Everything else is noise and slows down a fix.

1

A normal bug or feature request

Something crashes, misbehaves, or feels wrong, but isn't exploitable. Open a public issue at github.com/bitcoin-ghost/ghost/issues. Include version, OS, and steps to reproduce. Pull requests welcome for anything — see CONTRIBUTING.md.
2

A security vulnerability

Something that could steal funds, forge shares, crash the mesh, or leak user data. Do not open a public issue. Use GitHub's private vulnerability reporting at github.com/bitcoin-ghost/ghost/security/advisories/new. The maintainer gets notified, the thread stays private until a fix ships, and a CVE can be assigned from the same form.
3

An active incident on the mesh

You see nodes misbehaving right now — bad payouts, consensus stall, duplicate blocks, anything that looks like coordinated abuse. Open a private advisory as in step 2 and tag it incident. During the nurture phase (pre-ossification), the maintainer will triage quickly.

scope

What counts as a security issue.

Anything that lets an attacker take someone else's funds, break consensus, or unmask a user. If in doubt, file it privately — better to over-report than to publish an exploit.

Fund-flow bugs in scope

Coinbase miscalculations, payout inflation, treasury drain, L2 settlement bypass, unshielding without a burn — anything that moves sats to the wrong address.
Consensus faults in scope

Ways to force a BFT vote split, forge shares, fake an elder, or otherwise get honest nodes to disagree about a deterministic outcome.
Privacy leaks in scope

Anything that links a shielded note to a sender, a Wraith output to an input, or a light-wallet address to the operator querying it.
Cryptographic weaknesses in scope

Signature forgery, ZK-circuit soundness bugs, Pedersen commitment collisions, RNG predictability — anything that breaks the crypto layer.
Ghost Tap wallet bugs in scope

Key material leaking off-device, seed recovery failures, transaction signing against the wrong context, UI phishing vectors in the app.
This website out of scope

bitcoinghost.org is a static documentation site. It doesn't hold funds or user data. Typos, layout bugs, and broken links are normal issues — open a public ticket.

process

What happens after you report.

During the nurture phase (pre-ossification) the maintainer triages privately reported issues and ships fixes as ordinary commits after disclosure ends. The shape of the flow:

1

Acknowledgement

Maintainer replies on the private advisory thread within a few days. No separate email, no form.
2

Validation + severity

If it reproduces, we agree severity and a target fix window. If it doesn't, we ask for more detail.
3

Fix on a private branch

Patch developed on a GitHub private advisory branch. Reporter is invited to review if they want to.
4

Coordinated release

Binary release ships, node operators get 7 days to upgrade, then the advisory is made public with full write-up and reporter credit (if wanted).

After ossification (target: 5+ years from mainnet launch) the codebase freezes and this process ends. At that point security reports are still welcome on GitHub, but fixes only land if the community agrees on a consensus-compatible patch. The maintainer steps back; the protocol belongs to the node operators.