A discussion of vulnerability disclosure in blockchain security says that public release of attack details can create risks, but controlled disclosure can also help users and encourage fixes. The text says this balance has led to “Responsible Disclosure” and “Coordinated Vulnerability Disclosure”, both of which allow an embargo and time for fixes before publication.
The source says these approaches have been adopted by organisations including CERT/CC at Carnegie Mellon University and Google’s Project Zero, and are covered by the international standard ISO/IEC 29147:2018.
The text says disclosure is more complicated in blockchain technologies because cryptocurrencies depend both on network security and public confidence. It says those systems can be attacked not only through CRQCs, but also through fear, uncertainty and doubt (FUD) techniques, and that unscientific resource estimates for quantum algorithms breaking ECDLP-256 can themselves be harmful.
The disclosure approach described in the source is meant to reduce that risk while publishing updated resource estimates for quantum attacks on blockchain technology based on elliptic curve cryptography. It says the discussion clarifies where blockchains are immune to quantum attacks and notes progress already made toward post-quantum blockchain security.
To support the estimates without releasing sensitive attack details, the text says the authors use a “zero-knowledge proof”, allowing third parties to verify the claims without access to the underlying quantum circuits. The source closes by saying it welcomes further discussions with the quantum, security, cryptocurrency, and policy communities on responsible disclosure norms.
Source: research.google.
Companies can share verified announcements through Newz9’s international press release submission page.
