Hi Peter,<div><br /></div><div>I agree that handling of vulnerability reports could be improved, although I have less expectations from bitcoin core to acknowledge any feedback. Here are a few things that we can do to improve the process:</div><div><br /></div><div>- Report vulnerabilities anonymously and share real identity with disclosure later if required.</div><div>- Send the email to achow101 or sipa or fanquake and keep security@bitcoincore.org in Cc.</div><div>- Lets create a hall of fame webpage which has the name of all developers who reported vulnerabilities along with other details. Community could also donate directly to developers.</div><div>- Do not expect response on weekends and wait for at least 7-30 days before full disclosure if vulnerability report is ignored.</div><div><br /></div><div>Maybe you and others on mailing list could add suggest more improvements.</div><div><br /></div><div>/dev/fd0</div><div>floppy disk guy</div><div><br /></div><div class="gmail_quote"><div dir="auto" class="gmail_attr">On Saturday, July 20, 2024 at 3:12:46 PM UTC Peter Todd wrote:<br/></div><blockquote class="gmail_quote" style="margin: 0 0 0 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">On Fri, Jul 19, 2024 at 10:57:40PM -0700, /dev /fd0 wrote:
<br>&gt; Hi Antoine,
<br>&gt; 
<br>&gt; &gt;  I&#39;m interested if you can propose a formal or mathematical definition of 
<br>&gt; what constitute
<br>&gt; &gt; an in-topic of off-topic comments on a matters like full RBF, which has 
<br>&gt; been controversial
<br>&gt; &gt; for like a decade.
<br>&gt; 
<br>&gt; I will quote _willcl-ark_&#39;s last comment as I do not have enough 
<br>&gt; permissions in bitcoin core repository to moderate comments:
<br>&gt; 
<br>&gt; &quot;However the comments section here has become difficult to follow due to 
<br>&gt; numerous off-topic comments, a few personal disagreements, and repetition 
<br>&gt; of arguments. In the interest of having a more productive and focused 
<br>&gt; technical and philosophical discussion we are going to close and lock this 
<br>&gt; PR.&quot;
<br>&gt; 
<br>&gt; A new pull request should help reviewers. If you do not agree with it, feel 
<br>&gt; free to discuss it with moderators in bitcoin core IRC channel.
<br>
<br>It&#39;s quite bizzare to use &quot;off topic comments&quot; as an excuse to close a pull-req
<br>fixing a specific security vulnerability, assuming you actually care about that
<br>vulnerability. As I&#39;ve said elsewhere, Core could have easily and quietly
<br>merged that pull-req as-is, possibly by having a few people write some obvious
<br>ACK rationals.
<br>
<br>The only good explanation for closing it is to further delay merging the
<br>pull-req, as well as disclosing the vulnerability.
<br>
<br>-- 
<br><a href="https://petertodd.org" target="_blank" rel="nofollow" data-saferedirecturl="https://www.google.com/url?hl=en&amp;q=https://petertodd.org&amp;source=gmail&amp;ust=1721626646552000&amp;usg=AOvVaw2JSBe0750jhDyC3Zta_EyJ">https://petertodd.org</a> &#39;peter&#39;[:-1]@<a href="http://petertodd.org" target="_blank" rel="nofollow" data-saferedirecturl="https://www.google.com/url?hl=en&amp;q=http://petertodd.org&amp;source=gmail&amp;ust=1721626646552000&amp;usg=AOvVaw0bBHxHb8vxSNez5PQ90-bw">petertodd.org</a>
<br></blockquote></div>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups &quot;Bitcoin Development Mailing List&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoindev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/bitcoindev/955e7097-ca7a-452a-953f-718aca14cdc6n%40googlegroups.com?utm_medium=email&utm_source=footer">https://groups.google.com/d/msgid/bitcoindev/955e7097-ca7a-452a-953f-718aca14cdc6n%40googlegroups.com</a>.<br />