Merge fort-nix/nix-bitcoin#457: Add nix-bitcoin security fund information

bdccaa3edd Add SECURITY.md (nixbitcoin) Pull request description: ACKs for top commit: erikarvstedt: ACK bdccaa3edd jonasnick: ACK bdccaa3edd Tree-SHA512: dfcc21a72b9fcc012efa9d4c39cf3ab837287a57364365d1378c6be2f9cff67b04cbb70e45a4eed27c2f1962f53e6b7be947588dda6d051caad81a8096a7ffd0
2022-03-30 12:51:28 +00:00 · 2022-03-30 12:51:28 +00:00 · 05b8c632f4
commit 05b8c632f4
parent 2365163f4f bdccaa3edd
2 changed files with 107 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -94,6 +94,10 @@ NixOS modules ([src](modules/modules.nix))

 Security
 ---
+See [SECURITY.md](SECURITY.md) for the security policy and how to report a vulnerability.
+
+nix-bitcoin aims to achieve a high degree of security by building on the following principles:
+
 * **Simplicity:** Only services enabled in `configuration.nix` and their dependencies are installed, support for [doas](https://github.com/Duncaen/OpenDoas) ([sudo alternative](https://lobste.rs/s/efsvqu/heap_based_buffer_overflow_sudo_cve_2021#c_c6fcfa)), code is continuously reviewed and refined.
 * **Integrity:** The Nix package manager guarantees that all dependencies are exactly specified, packages can be built from source to reduce reliance on binary caches, nix-bitcoin merge commits are signed, all commits are approved by multiple nix-bitcoin developers, upstream packages are cryptographically verified where possible, we use this software ourselves.
 * **Principle of Least Privilege:** Services operate with least privileges; they each have their own user and are restricted further with [systemd features](pkgs/lib.nix), [RPC whitelisting](modules/bitcoind-rpc-public-whitelist.nix) and [netns-isolation](modules/netns-isolation.nix). There's a non-root user *operator* to interact with the various services.