Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 2D8B589F for ; Sun, 10 Sep 2017 22:03:53 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pg0-f42.google.com (mail-pg0-f42.google.com [74.125.83.42]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 9E605180 for ; Sun, 10 Sep 2017 22:03:52 +0000 (UTC) Received: by mail-pg0-f42.google.com with SMTP id j16so1920812pga.1 for ; Sun, 10 Sep 2017 15:03:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bitcartel-com.20150623.gappssmtp.com; s=20150623; h=from:subject:to:message-id:date:user-agent:mime-version :content-language:content-transfer-encoding; bh=hj08VYTTuq6LWeB7cSMpIslbmqWhrsjv4rhZYFs46iM=; b=Hqb5qCPvN31lm8kBX5f+AT4yLgWJyFXd8hHEmBGVQ0OF4XGbkOcKMg/QQeGW1qsLdg h2YRJm4TBtC7UtNkMxyDzCIW2IDGpj4AAR63egB9CHcZrzETEP76YI45aPLWGRa+kXKh J/26j93am7lGKt89b4K+9/cYRYD9t5Uwjvcm9xKn5qsysKw7gDlJG9W5Leajz+w9LnX/ p6XasuwWCJlqmXF7ej8+pgjdZj63O8qnnRpq7Q4O6PndPuxda5O/alrtm78LIjZXPetZ YCsLXdDB095B2PbeVnaVX3s7CExsg5ML147uW/spYvqXP1+TRSDPDe5SN9m2pxK6blzh fVTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:message-id:date:user-agent :mime-version:content-language:content-transfer-encoding; bh=hj08VYTTuq6LWeB7cSMpIslbmqWhrsjv4rhZYFs46iM=; b=mAfXObqSzFAMZBdft4fG0waZgCyBK4rwnQyyZdTmTwQmf5dR2h4iDvq1M9wF+KwjXU 9DAwINoksGNi9dUUHIWRe/yZfR7ED5m3UULoiHJ57cfu6MI7PF9ntY574F46huso/eLB SiKhZQrc72cndgZbo/SllUvocevLRzKt8/1yk1kUbWP9GzAuQe/xela3V7JQj5T+PNM8 iWSbcOd2mJHvxSsh9doCyw3zAq7V+NrXH2RrVESIsHQHbPqdeHj4lSjK1YQMYcQw0xiH xjZZqHp5+fy0MFy27jkHqzutTanC8KG8DR5gruGOII6JIDehmxXduuWZYFMlqCcnv5xE 6C9w== X-Gm-Message-State: AHPjjUgMQRoP9bHiARlMvuFB1ig9pYJrsHZC+f9Hcq+V68Hpl84S5hM4 k7IR/jtOI//6UGy9xE1Uhw== X-Google-Smtp-Source: ADKCNb6kax5oE41yk8xW7s5TpT5N3dosshmj09qzxSzp/2Wn4Xzn1CS1vtw6Jc7XDyl+4vlFjlAfiw== X-Received: by 10.101.82.140 with SMTP id y12mr10044800pgp.142.1505081031816; Sun, 10 Sep 2017 15:03:51 -0700 (PDT) Received: from [10.0.35.131] (50-254-134-21-static.hfc.comcastbusiness.net. [50.254.134.21]) by smtp.googlemail.com with ESMTPSA id a78sm14415025pfl.39.2017.09.10.15.03.49 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 10 Sep 2017 15:03:49 -0700 (PDT) From: Simon Liu To: Bitcoin Dev Message-ID: <3e4541f3-f65c-5199-5e85-9a65ea5142e7@bitcartel.com> Date: Sun, 10 Sep 2017 15:03:48 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=0.0 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, RCVD_IN_DNSWL_NONE autolearn=disabled version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Sun, 10 Sep 2017 22:23:26 +0000 Subject: [bitcoin-dev] Responsible disclosure of bugs X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Sep 2017 22:03:53 -0000 Hi, Given today's presentation by Chris Jeffrey at the Breaking Bitcoin conference, and the subsequent discussion around responsible disclosure and industry practice, perhaps now would be a good time to discuss "Bitcoin and CVEs" which has gone unanswered for 6 months. https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-March/013751.html To quote: "Are there are any vulnerabilities in Bitcoin which have been fixed but not yet publicly disclosed? Is the following list of Bitcoin CVEs up-to-date? https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures There have been no new CVEs posted for almost three years, except for CVE-2015-3641, but there appears to be no information publicly available for that issue: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3641 It would be of great benefit to end users if the community of clients and altcoins derived from Bitcoin Core could be patched for any known vulnerabilities. Does anyone keep track of security related bugs and patches, where the defect severity is similar to those found on the CVE list above? If yes, can that list be shared with other developers?" Best Regards, Simon