Re: [bitcoin-dev] Responsible disclosures and Bitcoin development

public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed

From: Michael Folkson <michaelfolkson@protonmail•com>
To: alicexbt <alicexbt@protonmail•com>,
	Bitcoin Protocol Discussion
	<bitcoin-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] Responsible disclosures and Bitcoin development
Date: Thu, 11 May 2023 19:44:18 +0000	[thread overview]
Message-ID: <I_QFh8MNIEz819n0dEitgXPmS5jfrYkOxTZoo211l1grYmW3yrDYxkso9XSrqLS26WJVXj0LAIpYe77DwWs7sXClVjz_Oz-lQiOV3Hn1U2Y=@protonmail.com> (raw)
In-Reply-To: <73TDuUxE1bU1oorFgqmS9MKA_hQz8W_IdSR9zJK1Fwkp5qfU7eqmA75QMddrME9iwrLmTkB7qLgf94o4c4NT1OgHe2QD_BeWvjZvDmLT6dg=@protonmail.com>

[-- Attachment #1: Type: text/plain, Size: 3138 bytes --]

Hi alicexbt

The vulnerability reporting process requires communication and resolution via a small group of individuals [0] rather than through open collaboration between any contributors on the repo. There are clearly examples where the process is critically needed, the most obvious past example being the 2018 inflation bug [1]. However, it doesn't scale for all bug reports and investigations to go through this tiny funnel. For an issue that isn't going to result in loss of onchain funds and doesn't seem to present a systemic issue (e.g. network DoS attack, inflation bug) I'm of the view that opening a public issue was appropriate in this case especially as the issue initially assumed it was only impacting nodes running in debug mode (not a mode a node in production is likely to be running in).

An interesting question though and I'm certainly happy to be corrected by those who have been investigating the issue. Some delicate trade-offs involved including understanding and resolving the issue faster through wider collaboration versus keeping knowledge of the issue within a smaller group.

Thanks
Michael

[0]: https://github.com/bitcoin/bitcoin/blob/master/SECURITY.md
[1]: https://bitcoincore.org/en/2018/09/20/notice/

--
Michael Folkson
Email: michaelfolkson at [protonmail.com](http://protonmail.com/)
GPG: A2CF5D71603C92010659818D2A75D601B23FEE0F

Learn about Bitcoin: https://www.youtube.com/@portofbitcoin

------- Original Message -------
On Tuesday, May 9th, 2023 at 03:47, alicexbt via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org> wrote:

> Hi Bitcoin Developers,
>
> There is an open issue in bitcoin core repository which was created last week: https://github.com/bitcoin/bitcoin/issues/27586
>
> I think this should have been reported privately as vulnerability instead of creating a GitHub issue even if it worked only in debug mode. Some users in the comments have also experienced similar issues without debug build used for bitcoind. I have not noticed any decline in the number of listening nodes on bitnodes.io in last 24 hours so I am assuming this is not an issue with majority of bitcoin core nodes. However, things could have been worse and there is nothing wrong in reporting something privately if there is even 1% possibility of it being a vulnerability. I had recently reported something to LND security team based on a closed issue on GitHub which eventually was not considered a vulnerability: https://github.com/lightningnetwork/lnd/issues/7449
>
> In the CPU usage issue, maybe the users can run bitcoind with bigger mempool or try other things shared in the issue by everyone.
>
> This isn't the first time either when vulnerability was reported publicly: https://gist.github.com/chjj/4ff628f3a0d42823a90edf47340f0db9 and this was even exploited on mainnet which affected some projects.
>
> This email is just a request to consider the impact of any vulnerability if gets exploited could affect lot of things. Even the projects with no financial activity involved follow better practices.
>
> /dev/fd0
> floppy disk guy
>
> Sent with [Proton Mail](https://proton.me/) secure email.

[-- Attachment #2: Type: text/html, Size: 9782 bytes --]

next prev parent reply	other threads:[~2023-05-11 19:44 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-05-09  2:47 alicexbt
2023-05-11 19:44 ` Michael Folkson [this message]
2023-05-16 22:39   ` alicexbt
2023-05-17 12:44     ` Michael Folkson
2023-05-22 12:56       ` alicexbt
2023-05-23 16:17         ` Michael Folkson
2023-05-23 16:45           ` alicexbt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='I_QFh8MNIEz819n0dEitgXPmS5jfrYkOxTZoo211l1grYmW3yrDYxkso9XSrqLS26WJVXj0LAIpYe77DwWs7sXClVjz_Oz-lQiOV3Hn1U2Y=@protonmail.com' \
    --to=michaelfolkson@protonmail$(echo .)com \
    --cc=alicexbt@protonmail$(echo .)com \
    --cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox