Return-Path: <simon@bitcartel.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 2D8B589F
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sun, 10 Sep 2017 22:03:53 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-pg0-f42.google.com (mail-pg0-f42.google.com [74.125.83.42])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 9E605180
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sun, 10 Sep 2017 22:03:52 +0000 (UTC)
Received: by mail-pg0-f42.google.com with SMTP id j16so1920812pga.1
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sun, 10 Sep 2017 15:03:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=bitcartel-com.20150623.gappssmtp.com; s=20150623;
	h=from:subject:to:message-id:date:user-agent:mime-version
	:content-language:content-transfer-encoding;
	bh=hj08VYTTuq6LWeB7cSMpIslbmqWhrsjv4rhZYFs46iM=;
	b=Hqb5qCPvN31lm8kBX5f+AT4yLgWJyFXd8hHEmBGVQ0OF4XGbkOcKMg/QQeGW1qsLdg
	h2YRJm4TBtC7UtNkMxyDzCIW2IDGpj4AAR63egB9CHcZrzETEP76YI45aPLWGRa+kXKh
	J/26j93am7lGKt89b4K+9/cYRYD9t5Uwjvcm9xKn5qsysKw7gDlJG9W5Leajz+w9LnX/
	p6XasuwWCJlqmXF7ej8+pgjdZj63O8qnnRpq7Q4O6PndPuxda5O/alrtm78LIjZXPetZ
	YCsLXdDB095B2PbeVnaVX3s7CExsg5ML147uW/spYvqXP1+TRSDPDe5SN9m2pxK6blzh
	fVTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:subject:to:message-id:date:user-agent
	:mime-version:content-language:content-transfer-encoding;
	bh=hj08VYTTuq6LWeB7cSMpIslbmqWhrsjv4rhZYFs46iM=;
	b=mAfXObqSzFAMZBdft4fG0waZgCyBK4rwnQyyZdTmTwQmf5dR2h4iDvq1M9wF+KwjXU
	9DAwINoksGNi9dUUHIWRe/yZfR7ED5m3UULoiHJ57cfu6MI7PF9ntY574F46huso/eLB
	SiKhZQrc72cndgZbo/SllUvocevLRzKt8/1yk1kUbWP9GzAuQe/xela3V7JQj5T+PNM8
	iWSbcOd2mJHvxSsh9doCyw3zAq7V+NrXH2RrVESIsHQHbPqdeHj4lSjK1YQMYcQw0xiH
	xjZZqHp5+fy0MFy27jkHqzutTanC8KG8DR5gruGOII6JIDehmxXduuWZYFMlqCcnv5xE
	6C9w==
X-Gm-Message-State: AHPjjUgMQRoP9bHiARlMvuFB1ig9pYJrsHZC+f9Hcq+V68Hpl84S5hM4
	k7IR/jtOI//6UGy9xE1Uhw==
X-Google-Smtp-Source: ADKCNb6kax5oE41yk8xW7s5TpT5N3dosshmj09qzxSzp/2Wn4Xzn1CS1vtw6Jc7XDyl+4vlFjlAfiw==
X-Received: by 10.101.82.140 with SMTP id y12mr10044800pgp.142.1505081031816; 
	Sun, 10 Sep 2017 15:03:51 -0700 (PDT)
Received: from [10.0.35.131] (50-254-134-21-static.hfc.comcastbusiness.net.
	[50.254.134.21]) by smtp.googlemail.com with ESMTPSA id
	a78sm14415025pfl.39.2017.09.10.15.03.49
	for <bitcoin-dev@lists.linuxfoundation.org>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Sun, 10 Sep 2017 15:03:49 -0700 (PDT)
From: Simon Liu <simon@bitcartel.com>
To: Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>
Message-ID: <3e4541f3-f65c-5199-5e85-9a65ea5142e7@bitcartel.com>
Date: Sun, 10 Sep 2017 15:03:48 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
	Thunderbird/52.2.1
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=0.0 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	RCVD_IN_DNSWL_NONE autolearn=disabled version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
X-Mailman-Approved-At: Sun, 10 Sep 2017 22:23:26 +0000
Subject: [bitcoin-dev] Responsible disclosure of bugs
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Sep 2017 22:03:53 -0000

Hi,

Given today's presentation by Chris Jeffrey at the Breaking Bitcoin
conference, and the subsequent discussion around responsible disclosure
and industry practice, perhaps now would be a good time to discuss
"Bitcoin and CVEs" which has gone unanswered for 6 months.

https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-March/013751.html

To quote:

"Are there are any vulnerabilities in Bitcoin which have been fixed but
not yet publicly disclosed?  Is the following list of Bitcoin CVEs
up-to-date?

https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures

There have been no new CVEs posted for almost three years, except for
CVE-2015-3641, but there appears to be no information publicly available
for that issue:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3641

It would be of great benefit to end users if the community of clients
and altcoins derived from Bitcoin Core could be patched for any known
vulnerabilities.

Does anyone keep track of security related bugs and patches, where the
defect severity is similar to those found on the CVE list above?  If
yes, can that list be shared with other developers?"

Best Regards,
Simon