Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 13FFB92B for ; Sun, 10 Sep 2017 23:28:21 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-wm0-f53.google.com (mail-wm0-f53.google.com [74.125.82.53]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 5397320C for ; Sun, 10 Sep 2017 23:28:20 +0000 (UTC) Received: by mail-wm0-f53.google.com with SMTP id f199so28539578wme.0 for ; Sun, 10 Sep 2017 16:28:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=dlIuYHJwvVKmLiosTNQkWWIQCU4p649kIPY3TOPgxVI=; b=t0/CsWJW8rmU3HkmP0LapvHoVJsKiqiVroFnhltXgw2JX0WtKReBcO/ZYhwbC7u/Xy XAUmoaBNXuPYoHJJyBtw2B1mWxCZLVkmPXEkZ/TOpY1ffAqexWzn08XJjJV0Id4JsOVN VMi2YfL9mNvqQ3SlTQOP0nOqMpF6zwIfl6C/+r9RPP59d2TwpoLGPcXjNNk3fhwFn7/l wMd7oDpQtCWu9okfPjYQnVNPtEIkU7xxbB0BGJuck8kdClIW8q9bvUJDvl6z8Gb6wh9P txuG4blmbJ7AM4w0AYDXsETcnwlNOMT8kYRAc5U71RGBYsXanZatod21s4w9H5ApNc7O X8Og== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=dlIuYHJwvVKmLiosTNQkWWIQCU4p649kIPY3TOPgxVI=; b=jdCN/XGLiV+f+XPzLq96Dhsbm50jWvqRXyQEIcq7XhIUsZRCafzeoHvycqFPffQ/kL 3jJ+J99TMqtEHSIjuItkDSsjiD1PJ/b/TSop1yPmzZ0xGfqjaeeAVdx3sSkmKihPzDV+ FmbejqxTzemz/muYykioZzDjcOPS6mafZ7mwT4SEwaCidgHwk/qCaluOtoB5rcjp7oXB LT968ufmwZ/0ee9v627f+dSNwndtato/oo5bXN2Y7byHFq4J/R/wmaL8dufE4pf7sShY YK2trN9dSFym7SSQnHeUJMaaThEdBOoWAQEy7INs+ggI34G+ewgSoh8zDaaloRSBrahq 1WcQ== X-Gm-Message-State: AHPjjUj+cGBKYNxly1QFdb6b4NSAo8l1OK/ulc6M6voZGWwyL55gPfnZ pHFUiREh2O8dPZNa2vPg3vVl67NpRZPhbYYKSB5SvQ== X-Google-Smtp-Source: AOwi7QDpbW3iQnvcfBlT5gC2tz0/H2MG1U7PeE4VmxZ8ubSPwNX7/UEIk7W8EdcBRlpnywMo3vN/9JBppffMtn21P3Y= X-Received: by 10.28.155.146 with SMTP id d140mr6556596wme.4.1505086098921; Sun, 10 Sep 2017 16:28:18 -0700 (PDT) MIME-Version: 1.0 Received: by 10.28.187.215 with HTTP; Sun, 10 Sep 2017 16:28:18 -0700 (PDT) Received: by 10.28.187.215 with HTTP; Sun, 10 Sep 2017 16:28:18 -0700 (PDT) In-Reply-To: References: <3e4541f3-f65c-5199-5e85-9a65ea5142e7@bitcartel.com> From: CryptAxe Date: Sun, 10 Sep 2017 16:28:18 -0700 Message-ID: To: Matt Corallo , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="001a11454a9e485ea30558de2af7" X-Spam-Status: No, score=0.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_SORBS_SPAM autolearn=disabled version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Sun, 10 Sep 2017 23:29:51 +0000 Subject: Re: [bitcoin-dev] Responsible disclosure of bugs X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Sep 2017 23:28:21 -0000 --001a11454a9e485ea30558de2af7 Content-Type: text/plain; charset="UTF-8" I don't think we should put any Bitcoin users at additional risk to help altcoins. If they fork the code they are making maintenance their own responsibly. It's hard to disclose a bitcoin vulnerability considering the network is decentralised and core can't force everyone to update. Maybe a timeout period for vulnerabilities could be decided. People might be expected to patched before then at which point the vulnerability can be published. Is that not already sort of how it works? On Sep 10, 2017 4:10 PM, "Matt Corallo via bitcoin-dev" < bitcoin-dev@lists.linuxfoundation.org> wrote: > I believe there continues to be concern over a number of altcoins which > are running old, unpatched forks of Bitcoin Core, making it rather > difficult to disclose issues without putting people at risk (see, eg, > some of the dos issues which are preventing release of the alert key). > I'd encourage the list to have a discussion about what reasonable > approaches could be taken there. > > On 09/10/17 18:03, Simon Liu via bitcoin-dev wrote: > > Hi, > > > > Given today's presentation by Chris Jeffrey at the Breaking Bitcoin > > conference, and the subsequent discussion around responsible disclosure > > and industry practice, perhaps now would be a good time to discuss > > "Bitcoin and CVEs" which has gone unanswered for 6 months. > > > > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/ > 2017-March/013751.html > > > > To quote: > > > > "Are there are any vulnerabilities in Bitcoin which have been fixed but > > not yet publicly disclosed? Is the following list of Bitcoin CVEs > > up-to-date? > > > > https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures > > > > There have been no new CVEs posted for almost three years, except for > > CVE-2015-3641, but there appears to be no information publicly available > > for that issue: > > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3641 > > > > It would be of great benefit to end users if the community of clients > > and altcoins derived from Bitcoin Core could be patched for any known > > vulnerabilities. > > > > Does anyone keep track of security related bugs and patches, where the > > defect severity is similar to those found on the CVE list above? If > > yes, can that list be shared with other developers?" > > > > Best Regards, > > Simon > > _______________________________________________ > > bitcoin-dev mailing list > > bitcoin-dev@lists.linuxfoundation.org > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --001a11454a9e485ea30558de2af7 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I don't think we should put any Bitcoin users at addi= tional risk to help altcoins. If they fork the code they are making mainten= ance their own responsibly.

It= 's hard to disclose a bitcoin vulnerability considering the network is = decentralised and core can't force everyone to update. Maybe a timeout = period for vulnerabilities could be decided. People might be expected to pa= tched before then at which point the vulnerability can be published. Is tha= t not already sort of how it works?=C2=A0

On Sep 10, 2017 4:10 PM, "Matt Cor= allo via bitcoin-dev" <bitcoin-dev@lists.linuxfoundation.org> wrote:
I believe there continues t= o be concern over a number of altcoins which
are running old, unpatched forks of Bitcoin Core, making it rather
difficult to disclose issues without putting people at risk (see, eg,
some of the dos issues which are preventing release of the alert key).
I'd encourage the list to have a discussion about what reasonable
approaches could be taken there.

On 09/10/17 18:03, Simon Liu via bitcoin-dev wrote:
> Hi,
>
> Given today's presentation by Chris Jeffrey at the Breaking Bitcoi= n
> conference, and the subsequent discussion around responsible disclosur= e
> and industry practice, perhaps now would be a good time to discuss
> "Bitcoin and CVEs" which has gone unanswered for 6 months. >
> https://lists.lin= uxfoundation.org/pipermail/bitcoin-dev/2017-March/013751.html=
>
> To quote:
>
> "Are there are any vulnerabilities in Bitcoin which have been fix= ed but
> not yet publicly disclosed?=C2=A0 Is the following list of Bitcoin CVE= s
> up-to-date?
>
> https://en.bitcoin.it/wiki/= Common_Vulnerabilities_and_Exposures
>
> There have been no new CVEs posted for almost three years, except for<= br> > CVE-2015-3641, but there appears to be no information publicly availab= le
> for that issue:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-3641
>
> It would be of great benefit to end users if the community of clients<= br> > and altcoins derived from Bitcoin Core could be patched for any known<= br> > vulnerabilities.
>
> Does anyone keep track of security related bugs and patches, where the=
> defect severity is similar to those found on the CVE list above?=C2=A0= If
> yes, can that list be shared with other developers?"
>
> Best Regards,
> Simon
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@l= ists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.= linuxfoundation.org
https://lists.linuxfoundation.org= /mailman/listinfo/bitcoin-dev
--001a11454a9e485ea30558de2af7--