Return-Path: Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id B62F9C002A for ; Tue, 23 May 2023 16:46:15 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 86EFC409EA for ; Tue, 23 May 2023 16:46:15 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 86EFC409EA Authentication-Results: smtp4.osuosl.org; dkim=pass (2048-bit key) header.d=protonmail.com header.i=@protonmail.com header.a=rsa-sha256 header.s=protonmail3 header.b=lnR4ZEI7 X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.102 X-Spam-Level: X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ipClzpvfLPLU for ; Tue, 23 May 2023 16:46:14 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org DFDF240998 Received: from mail-40132.protonmail.ch (mail-40132.protonmail.ch [185.70.40.132]) by smtp4.osuosl.org (Postfix) with ESMTPS id DFDF240998 for ; Tue, 23 May 2023 16:46:13 +0000 (UTC) Date: Tue, 23 May 2023 16:45:58 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1684860370; x=1685119570; bh=MJKrvRVO4x+/1GI7pulCs20bWMnY4S0w4nzhRNme4zI=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=lnR4ZEI7F2ipCrjq+QT8dHBFjF4OMpnROr0S/vre+EqwmjKyyYan5TbeknGJ+dbLs aj01Stqs1R/y41g2k037OOqe/7u5fY62LHQvVxqcLUzAY+KcRndnklPKiywzOuOk8D zwkgLoIeQbNZ328+VvUkbzYc/WTHzATXrL8/mA0N+x0ygc05c6MnBxCcR/gkIIPmTJ 6so1jBn9T1XGSv+pZVveiyjY8jLy5zqE+kuax+ZqM+ttFV36DHCg0shScHTs6Sv8kT Tp4J03GQu2NJT6zG+E/shcuDupA3EOVCK9F31oJeKzGP+I8TholV48vkl6TFFbZv4o h7SoQNPZo3R9w== To: Michael Folkson From: alicexbt Message-ID: In-Reply-To: References: <73TDuUxE1bU1oorFgqmS9MKA_hQz8W_IdSR9zJK1Fwkp5qfU7eqmA75QMddrME9iwrLmTkB7qLgf94o4c4NT1OgHe2QD_BeWvjZvDmLT6dg=@protonmail.com> Feedback-ID: 40602938:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Tue, 23 May 2023 17:09:56 +0000 Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Responsible disclosures and Bitcoin development X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 May 2023 16:46:15 -0000 Hi Michael, Yes, I had requested CVE ID after v24.1 was released as Anthony Towns being= the discoverer. I would follow the process shared here: https://github.com/bitcoin/bitcoin/= blob/master/SECURITY.md when bitcoin core developers do not disclose vulner= abilities publicly as GitHub issues which are read by everyone including 3 = letter agencies. I don't think there was anything left in the issue after d= iscussing it for days for me to add anything new. I was clear about some th= ings the moment I read the issue and its one of the reasons I created this = thread on May 9 (public) about a public GitHub issue after following it for= a few days. It would still qualify as a vulnerability if it only affected debug builds. > You weren't particularly clear with what has occurred. It would be better we have less assumptions about such things. /dev/fd0 floppy disk guy Sent with Proton Mail secure email. ------- Original Message ------- On Tuesday, May 23rd, 2023 at 9:47 PM, Michael Folkson wrote: > Hi alicexbt >=20 > > It has been assigned CVE-2023-33297 >=20 >=20 > Did you personally request the CVE ID? Say via here [0]? Did you confirm = with someone listed on the vulnerability reporting process [1] for Bitcoin = Core that it made sense to do that at this time? I'm not sure whether compl= etely bypassing that list and requesting CVE IDs for the project as an indi= vidual is the way to go. If you have already contacted one of them and they= 've given you the go ahead to start the CVE process then fine. You weren't = particularly clear with what has occurred. >=20 > Thanks > Michael >=20 > [0]: https://cve.mitre.org/cve/request_id.html > [1]: https://github.com/bitcoin/bitcoin/blob/master/SECURITY.md >=20 > -- > Michael Folkson > Email: michaelfolkson at protonmail.com > GPG: A2CF5D71603C92010659818D2A75D601B23FEE0F >=20 >=20 > Learn about Bitcoin: https://www.youtube.com/@portofbitcoin >=20 >=20 > ------- Original Message ------- > On Monday, May 22nd, 2023 at 13:56, alicexbt alicexbt@protonmail.com wrot= e: >=20 >=20 >=20 > > Hi Michael, > >=20 > > > Now that's not to say you may not have a point about better documenta= tion and guidance on what should go through the vulnerability reporting pro= cess and what shouldn't. > >=20 > > Yes, this can be improved. > >=20 > > > Or even that this particular issue could ultimately end up being clas= sed a CVE. > >=20 > > It has been assigned CVE-2023-33297 > >=20 > > /dev/fd0 > > floppy disk guy > >=20 > > Sent with Proton Mail secure email. > >=20 > > ------- Original Message ------- > > On Wednesday, May 17th, 2023 at 6:14 PM, Michael Folkson michaelfolkson= @protonmail.com wrote: > >=20 > > > Hi alicexbt > > >=20 > > > "Open source" has the word "open" in it. Pushing everything into clos= ed, private channels of communication and select groups of individuals is w= hat I've been trying to push back upon. As I said in my initial response "i= t doesn't scale for all bug reports and investigations to go through this t= iny funnel" though "there are clearly examples where the process is critica= lly needed". > > >=20 > > > Now that's not to say you may not have a point about better documenta= tion and guidance on what should go through the vulnerability reporting pro= cess and what shouldn't. Or even that this particular issue could ultimatel= y end up being classed a CVE. But rather than merely complaining and puttin= g "open source" into quote marks perhaps suggest what class of bug reports = should go through the tiny funnel and what shouldn't. Unless you think ever= ything should go through the funnel in which case you are advocating for le= ss openness whilst simultaneously complaining it isn't "open source". Squar= e that circle. > > >=20 > > > Thanks > > > Michael > > >=20 > > > -- > > > Michael Folkson > > > Email: michaelfolkson at protonmail.com > > > GPG: A2CF5D71603C92010659818D2A75D601B23FEE0F > > >=20 > > > Learn about Bitcoin: https://www.youtube.com/@portofbitcoin > > >=20 > > > ------- Original Message ------- > > > On Tuesday, May 16th, 2023 at 23:39, alicexbt alicexbt@protonmail.com= wrote: > > >=20 > > > > Hi Michael, > > > >=20 > > > > A disagreement and some thoughts already shared in an email althoug= h its not clear to some "open source" devs: > > > >=20 > > > > Impact of this vulnerability: > > > >=20 > > > > - Denial of Service > > > > - Stale blocks affecting mining pool revenue > > > >=20 > > > > Why it should have been reported privately to security@bitcoincore.= org, even if initially found affecting only debug build? > > > >=20 > > > > Example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2021-= 3129 > > > >=20 > > > > CVE is a different process and I am aware of it. It would be good f= or certain developers in the core team to reflect on their own approach to = security, regardless of whether their work receives CVE recognition or not. > > > >=20 > > > > /dev/fd0 > > > > floppy disk guy > > > >=20 > > > > Sent with Proton Mail secure email. > > > >=20 > > > > ------- Original Message ------- > > > > On Friday, May 12th, 2023 at 1:14 AM, Michael Folkson michaelfolkso= n@protonmail.com wrote: > > > >=20 > > > > > Hi alicexbt > > > > >=20 > > > > > The vulnerability reporting process requires communication and re= solution via a small group of individuals 0 rather than through open collab= oration between any contributors on the repo. There are clearly examples wh= ere the process is critically needed, the most obvious past example being t= he 2018 inflation bug 1. However, it doesn't scale for all bug reports and = investigations to go through this tiny funnel. For an issue that isn't goin= g to result in loss of onchain funds and doesn't seem to present a systemic= issue (e.g. network DoS attack, inflation bug) I'm of the view that openin= g a public issue was appropriate in this case especially as the issue initi= ally assumed it was only impacting nodes running in debug mode (not a mode = a node in production is likely to be running in). > > > > >=20 > > > > > An interesting question though and I'm certainly happy to be corr= ected by those who have been investigating the issue. Some delicate trade-o= ffs involved including understanding and resolving the issue faster through= wider collaboration versus keeping knowledge of the issue within a smaller= group. > > > > >=20 > > > > > Thanks > > > > > Michael > > > > >=20 > > > > > -- > > > > > Michael Folkson > > > > > Email: michaelfolkson at protonmail.com > > > > > GPG: A2CF5D71603C92010659818D2A75D601B23FEE0F > > > > >=20 > > > > > Learn about Bitcoin: https://www.youtube.com/@portofbitcoin > > > > >=20 > > > > > ------- Original Message ------- > > > > > On Tuesday, May 9th, 2023 at 03:47, alicexbt via bitcoin-dev bitc= oin-dev@lists.linuxfoundation.org wrote: > > > > >=20 > > > > > > Hi Bitcoin Developers, > > > > > >=20 > > > > > > There is an open issue in bitcoin core repository which was cre= ated last week: https://github.com/bitcoin/bitcoin/issues/27586 > > > > > >=20 > > > > > > I think this should have been reported privately as vulnerabili= ty instead of creating a GitHub issue even if it worked only in debug mode.= Some users in the comments have also experienced similar issues without de= bug build used for bitcoind. I have not noticed any decline in the number o= f listening nodes on bitnodes.io in last 24 hours so I am assuming this is = not an issue with majority of bitcoin core nodes. However, things could hav= e been worse and there is nothing wrong in reporting something privately if= there is even 1% possibility of it being a vulnerability. I had recently r= eported something to LND security team based on a closed issue on GitHub wh= ich eventually was not considered a vulnerability: https://github.com/light= ningnetwork/lnd/issues/7449 > > > > > >=20 > > > > > > In the CPU usage issue, maybe the users can run bitcoind with b= igger mempool or try other things shared in the issue by everyone. > > > > > >=20 > > > > > > This isn't the first time either when vulnerability was reporte= d publicly: https://gist.github.com/chjj/4ff628f3a0d42823a90edf47340f0db9 a= nd this was even exploited on mainnet which affected some projects. > > > > > >=20 > > > > > > This email is just a request to consider the impact of any vuln= erability if gets exploited could affect lot of things. Even the projects w= ith no financial activity involved follow better practices. > > > > > >=20 > > > > > > /dev/fd0 > > > > > > floppy disk guy > > > > > >=20 > > > > > > Sent with Proton Mail secure email.