Hi Dave, > Could you tell us more about the disclosure process you followed? I'm > surprised to see it disclosed without any apparent attempt at patching. > I'm especially concerned given your past history of publicly revealing > vulnerabilities before they could be quietly patched[1] and the conflict > of interest of you using this disclosure to advocate for a policy change > you are championing. In defense of Peter, I don't think there is a low-hanging fruit that could have been landed easily in Bitcoin Core. The most obvious ones could have been a) to reduce `MAX_STANDARD_TX_WEIGHT` or b) a new rule `max_replacement_bandwidth` or c) a new absolute-fee based penalty on bandwidth replacement cost. All hard to integrate in a covert fashion without attracting some attention from the community, which would certainly ask why we're changing the marginal bandwidth cost. Potentially, impacting unfavorably some use-cases. Certainly, Peter's report could have integrated a disclosure timeline at the example of CVE-2018-17144 [0], which I can recommend to anyone to follow doing security research or servicing as a security point of contact in our field. I don't see the conflict of interest in the present disclosure ? It is public information that Peter is championing RBFR [1]. I'm not aware of any private interest unfavorably influencing Peter's behavior in the conduct of this security issue disclosure. One of the established principles in infosec, it's up to software vendors to explain why their softwares is broken or why they are "lazy" fixing issues. Assuming sufficient technical proof has been initially communicated by the reporter. If you're dissatisfied by Peter's conduct in the handling of this disclosure, you're welcome to author vulnerability reports or assume the role of coordinating patching responses yourself more often. Assuming you can be reasonably trusted here. Finally, in matters of ethics, talking as an external observer can be cheap sometimes and it is best to "lead-by-example", imho. Best, Antoine [0] https://bitcoincore.org/en/2018/09/20/notice/ [1] https://petertodd.org/2024/one-shot-replace-by-fee-rate Le mar. 26 mars 2024 à 18:38, David A. Harding a écrit : > On 2024-03-18 03:21, Peter Todd wrote: > > [...] the existence of this attack is an argument in favor of > > replace-by-fee-rate. While RBFR introduces a degree of free-relay, the > > fact > > that Bitcoin Core's existing rules *also* allow for free-relay in this > > form > > makes the difference inconsequential. > > > > # Disclosure > > > > This issue was disclosed to bitcoin-security first. I received no > > objections to > > making it public. All free-relay attacks are mitigated by the > > requirement to at > > least have sufficient funds available to allocate to fees, even if the > > funds > > might not actually be spent. > > Could you tell us more about the disclosure process you followed? I'm > surprised to see it disclosed without any apparent attempt at patching. > I'm especially concerned given your past history of publicly revealing > vulnerabilities before they could be quietly patched[1] and the conflict > of interest of you using this disclosure to advocate for a policy change > you are championing. > > -Dave > > [1] > > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-June/016100.html > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Bitcoin Development Mailing List" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/bitcoindev/EJYoeNTPVhg/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > bitcoindev+unsubscribe@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/bitcoindev/012f89763cc336cd91eec13dccefc921%40dtrt.org > . > -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/CALZpt%2BHNiwie1RNJOi9WJs-F2%3DYSvFdwCDfdNDuTdUuSf_kTBg%40mail.gmail.com.