-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add an obvious disclaimer in the plugins store #5547
Comments
No matter if developed by BTCPay or an individual. It is open source software under MIT which states there is no liability and I think we should not suggest that BTCPay is in any way more secure even though many more eyes are reviewing the code. |
I guess we can remove |
Some thoughts on how to reduce the impact of future security incidents:
|
We could have this as a feature of the plugin builder, with which we offer it as a general mechanism to all plugins and integrate it in BTCPay Server for the admin to see. This would include a version number below which a message would be displayed and depending on how far we want to go it could also include a disable flag/killswitch for plugins below that version. @Kukks @NicolasDorier
We are evaluating and tracking this in #5539.
A general watchdog would not work for LNbank, because depending on how it is used, LNbank might just share a portion of the Lightning node and the rest is used for the regular Lightning functionality in stores. LNbank monitors the liquidity of the node though and reports if the bank liabilities exceed the liquidity in local channels — but that's another feature.
Having policies like this would make sense in addition to other already planned features like dennisreimann/btcpayserver-plugin-lnbank#20. I will introduce that in combination with more fine-grained controls and permissions based on what I'm working on in dennisreimann/btcpayserver-plugin-lnbank#50. |
This might be better fitting to a different issue since its a bit off topic to the disclaimer conversation but I'll leave it here anyway - I've already briefly mentioned on mattermost I suggest creating an rss feed for announcing vulnerabilities. RSS feeds are a common practice within security industry (cve announcements etc) and broader IT industry. They can be integrated into any flow and every tool out there supports it. It is used by infrastructure providers, big vendors and other organizations, despite them mostly having actual customer information (emails) over which they could deliver that info. RSS can be integrated by users into chats, their personal feeds, monitoring tooling that they use for other stuff. Using social networks and chats is insufficient for critical stuff, specially when it has to do with money. Examples in the wild: |
Disclaimer: BTCPay plugins are developed by third parties unless the author is
BTCPay
Use at your own risk. [Read More]/#)And that can open a pop-up
Important Notice for BTCPay Plugin Store Users
Use at Your Own Risk: Plugins in this store are developed by independent third parties, not affiliated with the BTCPay core team. These plugins have not undergone review by our team.
Disclaimer of Responsibility: The BTCPay team is not liable for any harm, loss, or damage resulting from the installation or use of these plugins. Users assume full responsibility for their choices.
No Official Endorsement: Inclusion in the BTCPay Plugin Store does not constitute an endorsement or guarantee of quality, safety, or compatibility by the BTCPay team.
Due Diligence Advised: We recommend users exercise caution and conduct their own research or consult the community before installing any plugin.
Feedback and Reporting: Should you experience issues with a plugin, please provide feedback or report concerns directly to the respective plugin developers.
I would again leave it up to @dstrukt and @dennisreimann on how this can be achieved UX wise, as I said above, a brief sentence with the ability for users to read more, should be good enough.
The text was updated successfully, but these errors were encountered: