Return-Path: <simon@bitcartel.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 76375504
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Tue, 21 Mar 2017 02:47:36 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-pg0-f43.google.com (mail-pg0-f43.google.com [74.125.83.43])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 94CD1180
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Tue, 21 Mar 2017 02:47:35 +0000 (UTC)
Received: by mail-pg0-f43.google.com with SMTP id g2so86235232pge.3
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Mon, 20 Mar 2017 19:47:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=bitcartel-com.20150623.gappssmtp.com; s=20150623;
	h=from:subject:to:message-id:date:user-agent:mime-version
	:content-transfer-encoding;
	bh=pH7Srn3DsN84LYaOQw1wiH4LsaQ8myKcnc7CgQym9iA=;
	b=T6cRSiAX+GoLT6CemSYww18NnF8Mw3KiF9JvIBYTJrxGhp7Kj0+BAn/nEwyZC6rLQA
	RfI/ki18/CsPhWpUK0yKpFx8Z2ABr0B9KrBFmltxpTg6IWDLlWL0dOJAjmJW1ZlwcwdI
	bgioH8cHSiZb53i6Qp+jt4yn7WLYzKvjKtG0l6dsYuOQEUw0BB1LBYqJ+d84Zf3hmXR8
	jBNfG1BzngZUMLz2rXvtcmlGO2LEZASKoWHI8WaqDyOl8kGCdJ6nugKHWjUYWxXKIcy3
	9FnVuaXVF5e/Z8LYiYyaW84GCdIIbUGsSLPuyGO1dRD3nkHGb3yWn+J+gO9oNzy48biC
	c/NQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:subject:to:message-id:date:user-agent
	:mime-version:content-transfer-encoding;
	bh=pH7Srn3DsN84LYaOQw1wiH4LsaQ8myKcnc7CgQym9iA=;
	b=rz9UyE8KAYg5QoO+p9R3MAi/wB4vane/ixfTjjpVIP7XgQ+L2gd/v6XqwFVE9YfLkh
	IGNDR8Z65VGZItiIWqS0+zLPLrLJUuPPKhZaprfIqgWEmCgUh6kEY80N5m+TYu9qUG1l
	suCfZwrLVcXv6mtqHyVPc0FeLrcXi5PqABj0SU8M4WGnKphL1KSZRR2o6cci9lCSAJ9B
	if/KU4dmqOChlEfDokcJmBDeHrbYccOSfCPDZC3osIuzaWcVx3DBvivy11BFOpVvdPs7
	wKqGAjupD9AbjwKw7lnKgJKsm7b+eYsW0Hp/8siP11tCjGWdQSgp9Wd5DM90rVEzu4QL
	UZbQ==
X-Gm-Message-State: AFeK/H2fBdYgyhz/uXYiKwFzGx7SvGbmUdESVglY0zK1XCwI94m6myzQplNWaVhRs/9TRQ==
X-Received: by 10.98.82.216 with SMTP id g207mr36760385pfb.139.1490064454869; 
	Mon, 20 Mar 2017 19:47:34 -0700 (PDT)
Received: from [192.168.1.133] (c-73-241-250-8.hsd1.ca.comcast.net.
	[73.241.250.8]) by smtp.googlemail.com with ESMTPSA id
	b10sm1785720pga.39.2017.03.20.19.47.32
	for <bitcoin-dev@lists.linuxfoundation.org>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Mon, 20 Mar 2017 19:47:32 -0700 (PDT)
From: Simon Liu <simon@bitcartel.com>
To: Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>
Message-ID: <cb4932bb-6fd0-0a03-6224-fd20b6cb3539@bitcartel.com>
Date: Mon, 20 Mar 2017 19:47:31 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
	Thunderbird/45.5.1
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Subject: [bitcoin-dev] Bitcoin and CVEs
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2017 02:47:36 -0000

Hi,

Are there are any vulnerabilities in Bitcoin which have been fixed but
not yet publicly disclosed?  Is the following list of Bitcoin CVEs
up-to-date?

https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures

There have been no new CVEs posted for almost three years, except for
CVE-2015-3641, but there appears to be no information publicly available
for that issue:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3641

It would be of great benefit to end users if the community of clients
and altcoins derived from Bitcoin Core could be patched for any known
vulnerabilities.

Does anyone keep track of security related bugs and patches, where the
defect severity is similar to those found on the CVE list above?  If
yes, can that list be shared with other developers?

If some fixes have been committed with discreet log messages, it will be
difficult for third parties to identify and assess the importance of any
critical patches.  Do any important ones come to mind?

Finally, curious to know, what has changed since 2014 that has resulted
in the defect rate, at least based on the list of publicly reported
CVEs, to fall to zero?  A change to the development process?
Introduction of a bug bounty?

Best Regards,

Simon