Security Advisories

Lightning Labs is committed to addressing security vulnerabilities in a timely and responsible manner. We work with security researchers to verify and address any potential vulnerabilities that are reported to us.

This page summarizes policies in relation to disclosing vulnerabilities in our products, as well as provides a list of historical Security Advisories.

Policy

Vulnerabilities will be assigned a severity category. We differentiate between 4 classes of vulnerabilities:

  • Critical: Bugs that can cause widespread loss of funds. Such a bug may be considered an existential threat to the Lightning Network as a whole, and may result in widespread loss of confidence (and funds) if exploited.
  • High: Bugs that result in small scale, non-viral loss of funds or inadvertent closure of channels.
  • Medium: Bugs in this category have the ability to crash an multiple nodes by having a “viral component”, e.g. a bug that lets a node crash as well as the nodes it is connected to.
  • Low: Bugs in this category have the ability to crash an multiple nodes.

Disclosures are batched quarterly, if possible aligned with product releases. Low and Medium bugs that are fixed in Qx are partially disclosed in Q(x+2) + 4 wks, and fully disclosed in Q(x+4) + 4 wks.

Critical and High bugs are not considered in standard disclosure policy as they require ad-hoc procedures.

Past Security Advisories