Delivery-date: Mon, 08 Jul 2024 18:16:24 -0700
Received: from mail-yb1-f186.google.com ([209.85.219.186])
	by mail.fairlystable.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <bitcoindev+bncBC3PT7FYWAMRBYE6WK2AMGQES43ZPKI@googlegroups.com>)
	id 1sQzSx-0005JI-Ho
	for bitcoindev@gnusha.org; Mon, 08 Jul 2024 18:16:23 -0700
Received: by mail-yb1-f186.google.com with SMTP id 3f1490d57ef6-e03a59172dbsf7991006276.3
        for <bitcoindev@gnusha.org>; Mon, 08 Jul 2024 18:16:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1720487777; x=1721092577; darn=gnusha.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-sender:mime-version
         :subject:references:in-reply-to:message-id:to:from:date:sender:from
         :to:cc:subject:date:message-id:reply-to;
        bh=dYY9cOjf91g/n4diPr6vIWoa0jBm4uLqKFgiPcpt6Ng=;
        b=iwI6eEUjNA0Y4KcUnMFWqQA9pEosGbd4gbSLswal/uJgEezuOCAapsUWIyEuA8jw8o
         aJZZzfULpqqLKbboKyNqVPWvE6H1FHXTdGVHND6C1ri8ojqWsBOn3cpkphXAfnULk+rt
         KSkUoIXYkyMlRvglEAqLuGMWBAATnfT1Lr7x3o7NSw3ewl3AzwlBU14cabcVyL9ltCgs
         qtK8+nQIG++JNE2Nhyhpj7h+STm9/rn7Sbkof0hM2MKKqy3vR0LV7W3b5osuXULWE+X9
         Y9BYsFDsNW/YUMUAWoQVlO5fPTTqg4CTxMIme37Sdw14qonX8hVi5i8+USVbynEKActC
         EyGg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1720487777; x=1721092577; darn=gnusha.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-sender:mime-version
         :subject:references:in-reply-to:message-id:to:from:date:from:to:cc
         :subject:date:message-id:reply-to;
        bh=dYY9cOjf91g/n4diPr6vIWoa0jBm4uLqKFgiPcpt6Ng=;
        b=kJIibSGPRpA/3ceIjwNCceDpBgCO7PVOxMKZf56DascDp0o704ixrYL567DDbXioeb
         S+zXW30EbT9ICCh6M4EMyFzrATF376FUZOaIiEe0xUp/zfANGtYWiq1j26E7mMzNFlp5
         wDXuUNmtHu7+bpVjjdYGEZdtAKeSWen73Si2O72ifWN68igVe0tOSKSyINepy5xVt3G8
         +jHR7nb0IHpqZfvjkrDCeYbuI9V7+Hi2UyY9jiXFwxcaig6Q6HKhsMRfBXSj4qGpu1Gx
         K1WhygxRbUxUDF9rB4luv8n1VlBhW9i14zphbEAnKed2cSWCHZRh/UXEnkZqlKRRdXQk
         co5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1720487777; x=1721092577;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-sender:mime-version
         :subject:references:in-reply-to:message-id:to:from:date:x-beenthere
         :x-gm-message-state:sender:from:to:cc:subject:date:message-id
         :reply-to;
        bh=dYY9cOjf91g/n4diPr6vIWoa0jBm4uLqKFgiPcpt6Ng=;
        b=QmcaAvokgB8DIfbkRPXIrLDehar5G8wRQIQpvCiFnFZR7VVLUnoSdkVNhvCzwmA79U
         xM3BHC8BRhnNstiy5QpTgjNP+BvodUMR1t+/BzWt88fu84Tf2pT3RdFMR9gFsIatQ+m8
         Dk86emBFkqxtErVA5Ep5SbKb7jipbQviccVeOf3gx9LsNWSM/99v+cBBLEGmWYh3luMi
         LZjaHpnMwuFUz33W9NQ6AX7CGVSvYoH5KMQvQThMxc4kdqMYqE/wcKpVxbvbi489ZYCg
         RS9pAcdmg8naqBJ/btO62+axsfxwx1W1GOvrW+ivq771wvXfm6G+Ko392rlKpHnhY2Rd
         oSNw==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=1; AJvYcCV2KaY7eLh9ihzECFEclszFVZ8JOTDyOPSlSLhrt5aOkN1FuKwLvz556V//VewmloYRP/nvdGxsNjeXpZUqwmpKeWSFtos=
X-Gm-Message-State: AOJu0YyEncSzwqYlEXaGA2CBBdZhvmKtYO9RYnVAk0XE86a+dUd0YHwJ
	CmlROUVFpUa3FPM2YfKv/qBOPPlVXbgv4IbBWXa0+azv/W1SeyOu
X-Google-Smtp-Source: AGHT+IHUFDb2NbogU3c/Ag/uplqRuZOdZkxsge+SZGpUjeffcltj0x/fiIb4A9j1USaw8jL/+7AijA==
X-Received: by 2002:a25:5885:0:b0:e02:ab25:44aa with SMTP id 3f1490d57ef6-e041b11d353mr1409835276.47.1720487777367;
        Mon, 08 Jul 2024 18:16:17 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:a05:6902:1896:b0:e02:c175:85f8 with SMTP id
 3f1490d57ef6-e03bd03e946ls7410738276.1.-pod-prod-04-us; Mon, 08 Jul 2024
 18:16:16 -0700 (PDT)
X-Received: by 2002:a05:690c:7244:b0:62f:22cd:7082 with SMTP id 00721157ae682-658f01f530bmr282657b3.5.1720487776069;
        Mon, 08 Jul 2024 18:16:16 -0700 (PDT)
Received: by 2002:a05:690c:3012:b0:64b:8595:7a39 with SMTP id 00721157ae682-65145091b38ms7b3;
        Thu, 4 Jul 2024 07:34:11 -0700 (PDT)
X-Received: by 2002:a05:6902:72a:b0:e03:53a4:1a7 with SMTP id 3f1490d57ef6-e03c1bbe6f4mr131940276.10.1720103650007;
        Thu, 04 Jul 2024 07:34:10 -0700 (PDT)
Date: Thu, 4 Jul 2024 07:34:09 -0700 (PDT)
From: Antoine Riard <antoine.riard@gmail.com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Message-Id: <46a677b3-3838-4a2d-b8d3-8c0e05e4139dn@googlegroups.com>
In-Reply-To: <a9f31b7f-08c9-4ee0-97a0-1c8708ad5c63n@googlegroups.com>
References: <rALfxJ5b5hyubGwdVW3F4jtugxnXRvc-tjD_qwW7z73rd5j7lXGNdEHWikmSdmNG3vkSOIwEryZzOZr_DgmVDDmt9qsX0gpRAcpY9CfwSk4=@protonmail.com>
 <a9f31b7f-08c9-4ee0-97a0-1c8708ad5c63n@googlegroups.com>
Subject: [bitcoindev] Re: Bitcoin Core Security Disclosure Policy
MIME-Version: 1.0
Content-Type: multipart/mixed; 
	boundary="----=_Part_302180_1785546436.1720103649782"
X-Original-Sender: antoine.riard@gmail.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.5 (/)

------=_Part_302180_1785546436.1720103649782
Content-Type: multipart/alternative; 
	boundary="----=_Part_302181_212545565.1720103649782"

------=_Part_302181_212545565.1720103649782
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Eric,

> Many other projects have been on the receiving end of this misperception,=
=20
and it has in fact caused material harm to the community

Without getting in unnecessarily re-opening old wounds, if you have=20
examples of what has caused material harm to the community, it can be=20
interesting to share.
From experience with second-layers, as soon as you start to have many=20
codebases affected by a vuln, it's another kind of dynamics so good to draw=
=20
lessons.

> I don't know what precipitated this change, but props to you all for=20
stepping up.

About the timing, among many factors, the bitcoin whitepaper assignment=20
legal issue is hopefully less a concern now so some competent people have=
=20
more time to handle that job of publicly disclosing security bugs. In=20
addition, the bitcoin open-source landscape has more resources (for the=20
best and worst) than 10 years ago. From sharing beers with Amir not so=20
lately, it wasn't that +10 years ago. I know he was kicked-off from the=20
original sec list, though I'm not sure the reasons are well-known.

Best,
Antoine

Le jeudi 4 juillet 2024 =C3=A0 02:13:15 UTC+1, Eric Voskuil a =C3=A9crit :

> > The project has historically done a poor job at publicly disclosing=20
> security-critical bugs, whether externally reported or found by=20
> contributors. This has led to a situation where a lot of users perceive=
=20
> Bitcoin Core as never having bugs. This perception is dangerous and,=20
> unfortunately, not accurate.
>
> I have to say this is one of the most compelling statements I've seen fro=
m=20
> the bitcoind/Bitcoin Core team in over 10 years. Many other projects have=
=20
> been on the receiving end of this misperception, and it has in fact cause=
d=20
> material harm to the community. I don't know what precipitated this chang=
e,=20
> but props to you all for stepping up.
>
> Best,
> Eric
>

--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/=
bitcoindev/46a677b3-3838-4a2d-b8d3-8c0e05e4139dn%40googlegroups.com.

------=_Part_302181_212545565.1720103649782
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div>Hi Eric,</div><div><br /></div><div>&gt; Many other projects have been=
 on the receiving end of this misperception, and it has in fact caused mate=
rial harm to the community</div><div><br /></div><div>Without getting in un=
necessarily re-opening old wounds, if you have examples of what has caused =
material harm to the community, it can be interesting to share.</div><div>F=
rom experience with second-layers, as soon as you start to have many codeba=
ses affected by a vuln, it's another kind of dynamics so good to draw lesso=
ns.</div><div><br /></div>&gt; I don't know what precipitated this change, =
but props to you all for stepping up.<div><br /></div><div>About the timing=
, among many factors, the bitcoin whitepaper assignment legal issue is hope=
fully less a concern now so some competent people have more time to handle =
that job of publicly disclosing security bugs. In addition, the bitcoin ope=
n-source landscape has more resources (for the best and worst) than 10 year=
s ago. From sharing beers with Amir not so lately, it wasn't that +10 years=
 ago. I know he was kicked-off from the original sec list, though I'm not s=
ure the reasons are well-known.</div><div><br /></div><div>Best,</div><div>=
Antoine</div><div><br /></div><div class=3D"gmail_quote"><div dir=3D"auto" =
class=3D"gmail_attr">Le jeudi 4 juillet 2024 =C3=A0 02:13:15 UTC+1, Eric Vo=
skuil a =C3=A9crit=C2=A0:<br/></div><blockquote class=3D"gmail_quote" style=
=3D"margin: 0 0 0 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding=
-left: 1ex;">&gt; The project has historically done a poor job at publicly =
disclosing security-critical bugs, whether externally reported or found by =
contributors. This has led to a situation where a lot of users perceive Bit=
coin Core as never having bugs. This perception is dangerous and, unfortuna=
tely, not accurate.<br><br>I have to say this is one of the most compelling=
 statements I&#39;ve seen from the bitcoind/Bitcoin Core team in over 10 ye=
ars. Many other projects have been on the receiving end of this mispercepti=
on, and it has in fact caused material harm to the community. I don&#39;t k=
now what precipitated this change, but props to you all for stepping up.<br=
><br>Best,<div>Eric</div></blockquote></div>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion on the web visit <a href=3D"https://groups.google.c=
om/d/msgid/bitcoindev/46a677b3-3838-4a2d-b8d3-8c0e05e4139dn%40googlegroups.=
com?utm_medium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msg=
id/bitcoindev/46a677b3-3838-4a2d-b8d3-8c0e05e4139dn%40googlegroups.com</a>.=
<br />

------=_Part_302181_212545565.1720103649782--

------=_Part_302180_1785546436.1720103649782--