Add an obvious disclaimer in the plugins store

[pavlenex]

Disclaimer: BTCPay plugins are developed by third parties unless the author is BTCPay Use at your own risk. [Read More]/#)

And that can open a pop-up

Important Notice for BTCPay Plugin Store Users

Use at Your Own Risk: Plugins in this store are developed by independent third parties, not affiliated with the BTCPay core team. These plugins have not undergone review by our team.

Disclaimer of Responsibility: The BTCPay team is not liable for any harm, loss, or damage resulting from the installation or use of these plugins. Users assume full responsibility for their choices.

No Official Endorsement: Inclusion in the BTCPay Plugin Store does not constitute an endorsement or guarantee of quality, safety, or compatibility by the BTCPay team.

Due Diligence Advised: We recommend users exercise caution and conduct their own research or consult the community before installing any plugin.

Feedback and Reporting: Should you experience issues with a plugin, please provide feedback or report concerns directly to the respective plugin developers.

I would again leave it up to @dstrukt and @dennisreimann on how this can be achieved UX wise, as I said above, a brief sentence with the ability for users to read more, should be good enough.

[ndeet]

Disclaimer: BTCPay plugins are developed by third parties unless the author is BTCPay Use at your own risk. [Read More]/#)

No matter if developed by BTCPay or an individual. It is open source software under MIT which states there is no liability and I think we should not suggest that BTCPay is in any way more secure even though many more eyes are reviewing the code.

[pavlenex]

Disclaimer: BTCPay plugins are developed by third parties unless the author is BTCPay Use at your own risk. [Read More]/#)

No matter if developed by BTCPay or an individual. It is open source software under MIT which states there is no liability and I think we should not suggest that BTCPay is in any way more secure even though many more eyes are reviewing the code.

I guess we can remove unless the author is BTCPay then, since we don't really have BTCPay official plugins yet anyway cc @dennisreimann

[Amperstrand]

Some thoughts on how to reduce the impact of future security incidents:

• lnbits has a critical notification message that is displayed to the admin if there is something urgent. This is not really something that should be added to an individual plugin, but plugins could request that such a notice be displayed if there is an urgent upgrade. This message should be reserved for urgent upgrades that address critical issues and not just be used for feature upgrades (or else people will start ignoring them).
• Auto-upgrading BTCpayserver or plugins can introduce a security risk in case a plugin is compromised and introduces a malicious update. But maybe there is a way to subscribe to critical security vulnerabilities warnings that could trigger a kill switch like in LNBits.
  • It could be enabled by default, but be optional.
  • It could point to https://btcpayserver.org/versions_with_critical_security_issues.txt, and if the version I am trying to run is listed in that file, it would shut down my instance.
• A watchdog (also mentioned on the same LNBits page) could also monitor that lnbank/btcpayserver expects the lightning node to have balance that lnbank or BTCpayserver thinks the lightning node should have is the same as reported by the lightning node. If the two become out of sync, then there is probably something wrong (unless some other process is also using the lightning node).
• A watchdog could also implement a policy that will trigger if BTCpayserver is behaving in an unexpected way such as trying to transfer funds out at a rate that is greater than the policy.
  • This might be better handled outside of BTCpayserver by something like Validating Lightning Signer or the access rights that BTCpayserver is using to talk to the lightning node
  • With onchain transactions it is easy to set up a watch-only wallet. This could be the default setup for lightning transactions too, so that BTCpayserver only has permission from the built-in lightning node to receive funds, and if you want to transfer funds out, you need to use some external tool (like Ride The Lightning).

[dennisreimann]

lnbits has a critical notification message that is displayed to the admin if there is something urgent. This is not really something that should be added to an individual plugin, but plugins could request that such a notice be displayed if there is an urgent upgrade.

We could have this as a feature of the plugin builder, with which we offer it as a general mechanism to all plugins and integrate it in BTCPay Server for the admin to see. This would include a version number below which a message would be displayed and depending on how far we want to go it could also include a disable flag/killswitch for plugins below that version. @Kukks @NicolasDorier

Auto-upgrading BTCpayserver or plugins can introduce a security risk in case a plugin is compromised and introduces a malicious update.

We are evaluating and tracking this in #5539.

A watchdog (also mentioned on the same LNBits page) could also monitor that lnbank/btcpayserver expects the lightning node to have balance that lnbank or BTCpayserver thinks the lightning node should have is the same as reported by the lightning node.

A general watchdog would not work for LNbank, because depending on how it is used, LNbank might just share a portion of the Lightning node and the rest is used for the regular Lightning functionality in stores. LNbank monitors the liquidity of the node though and reports if the bank liabilities exceed the liquidity in local channels — but that's another feature.

a policy that will trigger if BTCpayserver is behaving in an unexpected way such as trying to transfer funds out at a rate that is greater than the policy.

Having policies like this would make sense in addition to other already planned features like dennisreimann/btcpayserver-plugin-lnbank#20. I will introduce that in combination with more fine-grained controls and permissions based on what I'm working on in dennisreimann/btcpayserver-plugin-lnbank#50.

[aljazceru]

This might be better fitting to a different issue since its a bit off topic to the disclaimer conversation but I'll leave it here anyway - I've already briefly mentioned on mattermost

I suggest creating an rss feed for announcing vulnerabilities. RSS feeds are a common practice within security industry (cve announcements etc) and broader IT industry. They can be integrated into any flow and every tool out there supports it. It is used by infrastructure providers, big vendors and other organizations, despite them mostly having actual customer information (emails) over which they could deliver that info.

RSS can be integrated by users into chats, their personal feeds, monitoring tooling that they use for other stuff. Using social networks and chats is insufficient for critical stuff, specially when it has to do with money.

Examples in the wild:
https://www.bleepingcomputer.com/news/microsoft/microsoft-adds-new-rss-feed-for-security-update-notifications/
https://www.cisa.gov/about/contact-us/subscribe-updates-cisa