On Wed, Mar 27, 2024 at 07:18:08AM -1000, David A. Harding wrote:
> On 2024-03-27 02:10, Peter Todd wrote:
> > On Tue, Mar 26, 2024 at 08:36:45AM -1000, David A. Harding wrote:
> > > Could you tell us more about the disclosure process you followed?
> > 
> > see attached.
> 
> Do I correctly infer from this that you privately reported the attack on
> Thursday around 15:46 UTC, didn't receive any replies in four days
> (including a weekend), and published the attack on Monday at 13:21 UTC?
> 
> That's a very short timeline to use for going public due to not receiving a
> response.  I think it's typical to give triage at least 30 days to respond,
> often while also prompting them additional times for a response if
> necessary.

I'm on the bitcoin-security mailing list. Every single plausible issue that has
been raised in the past few years has gotten a response within two days. A few
days is plenty of time to at least respond with a simple "give us more time" if
needed.

Secondly, I was able to verify independently that the relevant people had seen
the email and weren't planning on replying. Which isn't surprising. It's just
another way to perform an obvious, well known, class of attack.

Anyway, I think the lesson to be learned here is I'd have been better off not
disclosing to bitcoin-security first. You're just harassing me here; I highly
suspect you'd have said nothing at all if I hadn't brought up disclosure.

-- 
https://petertodd.org 'peter'[:-1]@petertodd.org

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/ZgRfvrYatcpqPNRn%40petertodd.org.