1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
|
Delivery-date: Wed, 27 Mar 2024 10:27:16 -0700
Received: from mail-oo1-f58.google.com ([209.85.161.58])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBDZ3NVEJ5UFBB3NNSGYAMGQELZHZZEY@googlegroups.com>)
id 1rpX3T-00064o-UB
for bitcoindev@gnusha.org; Wed, 27 Mar 2024 10:27:16 -0700
Received: by mail-oo1-f58.google.com with SMTP id 006d021491bc7-5a486a8e1fdsf20820eaf.2
for <bitcoindev@gnusha.org>; Wed, 27 Mar 2024 10:27:15 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1711560430; cv=pass;
d=google.com; s=arc-20160816;
b=kOxILt7kQYxICG2CY5pncGOMGQkknbIDsMn6DGvzTMO4m2htyUMSqtldx7UwYSWDCu
EiwXIAPbFiznvJX7yym34rHrxS1cztYD9LDiXNxKO/GsZtwlwpfGOuZ5KZB2INsQJhO2
8AATwN6yrAyH6qzUJvczQKTwmhNZ3VcoYK7xQBKQFE45U0EQqVCkFNwYdM5OgzXNAOAH
3QA5qcmtw7ojw/WEbMAvwXSTEY+oOVg/WWKZdkbgn/OfBa4QjjZciGlehli0ReVBMKT8
cbaX6cx158wV5BX3HxwyrRtEB4VxkSNibjqztM4zH61JDtvKNid8ehlYq6Tr9JP8cwfp
3X4A==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:message-id:user-agent:subject:cc:to
:from:date:mime-version:sender:dkim-signature;
bh=RyMsHsLj0qVYcdLAT6XWq95eEk697KfgZlDKbWW0Bdo=;
fh=1RlHc+MYPVx8BEwtXJimz6OflcQmdFj1cO+QFu4CaBo=;
b=SCuojHoyQqTiiNr5XCSaa9kz5tUdEIzYQR5OeCjcxKKxE4V03+PVTRL6ZqHkOc3CtW
j3+apw7KMImnGRxC7hNP7Vql6bPqMrJ6viDc8wzKzlY+W3trDTFNFhaDM/jg6Q91UUhS
KuPM+uCgVe0a17VA+gMF3ow7KaH7so7v9fMdhdfVmw2md8DElHElzTgm7h344DjhPXsI
Teu8hPL1gUW3b85FURafPrzzBW8+gltZWiVLvj47udsUdw9YeoUUqh1vB4elp99NBPb1
wvCrivluBhumNI/x6KBhhEnVN6m0K0U+eqoi9L0W/JzteX/6CspvElmE9kIgwNKPk6sE
U4Zg==;
darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
spf=pass (google.com: domain of dave@dtrt.org designates 2607:fe70:0:3::d as permitted sender) smtp.mailfrom=dave@dtrt.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1711560430; x=1712165230; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:message-id:user-agent:subject:cc:to:from:date
:mime-version:sender:from:to:cc:subject:date:message-id:reply-to;
bh=RyMsHsLj0qVYcdLAT6XWq95eEk697KfgZlDKbWW0Bdo=;
b=u4a8aA5hv+NlSHTiO45ua9Ac1MK5XGgiYxNxekgcvCKUem3Rl0+CRIm4B+VeDyoTtQ
BjN0MMWPEpaZg3DJDolDKwxr4RGDK18TVBz0dffPyi5dIWLY60X71HNC4jRfL/6JTaMB
y2KGkMvaUBf6idZj6G7G/8W5QcopkyQ8nLy1OQdq9m+weOEpefwdjXhNWY7z6CwFduZx
tw+lrec042ePi8AyYo6i4Ovf/Z4BT6DltHEzxMtQ5dhR7827K6xtq9yDokfHxmXi7N44
Z97APP3dY5mzQrvS0LDcOLDZrqXtGGVhNuSLar3wddHAXPvbWiiaGIvjkwwv1NTmlk8q
9FQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1711560430; x=1712165230;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:message-id:user-agent:subject:cc:to:from:date
:mime-version:x-beenthere:x-gm-message-state:sender:from:to:cc
:subject:date:message-id:reply-to;
bh=RyMsHsLj0qVYcdLAT6XWq95eEk697KfgZlDKbWW0Bdo=;
b=UtNjpJw+xiOgwpys7mfOMfdjrSbGui702l44fY0ADnmvMP8C8p9bGf8fg3iYTvAi2l
nDsrSOynxIKq3c+u9AdOWfRCw7k+IyLalOJAhIs4WKtk2aZReezvfP+eeSJWngCrnJrD
oabtZZX/gaMGt1MSFuwXVEJJa/jhECU8/L4c4o7NR3wS/7xmGNoiy9KgzsIe6J6NIXCF
DW2jWD27IHLNjr/tecDe3VqF9HYWvurOMtb5PfsG+Ouj+JBVo6WQ2kaS8vmss0iGFvtK
ERe+EE3ZmlksBZuiL2zEC624+hCOltUELQN858jOMegoVCVJqihtf7wImqeNjmkuABt3
FFnQ==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCVIy808igDUd+a+0kJwW1x6+qX8bxvEngokG81HKBC7JGIF9ut5s5e2rweg28Om0YqiyTNcN/j0E6V6YxgJZHkriR8+2dA=
X-Gm-Message-State: AOJu0YxUj8ywjNWiQ9E/6CMzpIqTayfbJbfyKTzWVudUTI5j7Atr/80C
89IR3nO3N4uD0tfkA6iAZutVt5UUE9s5U02Tqy6OEsl2fdzPQ2j0cNA=
X-Google-Smtp-Source: AGHT+IHhwGhQvlypgFqCLMMLZfGeVH0SE72mqpe7c0jc52zCZfEW5PkEx6CiBNTQSjIXvQ2UJSckMg==
X-Received: by 2002:a05:6820:208:b0:5a1:a7b3:3d0 with SMTP id bw8-20020a056820020800b005a1a7b303d0mr749330oob.4.1711560429903;
Wed, 27 Mar 2024 10:27:09 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:a4a:b244:0:b0:5a4:c3bf:af31 with SMTP id i4-20020a4ab244000000b005a4c3bfaf31ls178378ooo.0.-pod-prod-08-us;
Wed, 27 Mar 2024 10:27:09 -0700 (PDT)
X-Received: by 2002:a05:6820:2209:b0:5a3:8bff:3286 with SMTP id cj9-20020a056820220900b005a38bff3286mr5338oob.1.1711560429196;
Wed, 27 Mar 2024 10:27:09 -0700 (PDT)
Received: by 2002:a05:6808:1288:b0:3c3:d110:85c6 with SMTP id 5614622812f47-3c3de9a8d9fmsb6e;
Wed, 27 Mar 2024 10:18:12 -0700 (PDT)
X-Received: by 2002:a05:6870:d623:b0:22a:53b5:d5c8 with SMTP id a35-20020a056870d62300b0022a53b5d5c8mr249441oaq.48.1711559891277;
Wed, 27 Mar 2024 10:18:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1711559891; cv=none;
d=google.com; s=arc-20160816;
b=HFG39HEomNiF1qdwZ57lUpiujLplt3QKg5x8jaY5seottlWmOPeYVfqChdIvqVG4Zx
UI+zJTyBnfFGJ7t93gAYtUtoHoN2udq4MSHIxO/4zwGufWfzPQ4QTHmdPKAJ/8znQBFo
zRViAReOw6ewHDaaRsES45wEgz1v338Lizpnn1T0k9qHQjGmasaze+iSzke4FKghS1xt
vToYhhQuInpdq1zVVvfXuZ512mC+naU0uQ1ECBUbp6gVJAtkNYjMJV4wZN7c6S1Ues7E
liMqGUHftwNsKkKR5mofcVowanQtQsyNz6xAJawgSdsBmVVni+uh52LzIuKbJVhelXCN
NoaA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=content-transfer-encoding:message-id:user-agent:subject:cc:to:from
:date:mime-version;
bh=pbVfUA4nVV5XiCHPeZ1tQ9w0u7XpYMirmBZ2nFdqQVs=;
fh=psWP3UCtCzzPEOUoUzVM9ZZK8adYsTeWDAKCd6L5Zok=;
b=f+VecAOOu2mf0IeDMdeMBWD0hVe46b3Q67MePH94H0ep4/WH1NRqYs0248W80UVmSN
GJYLMf3jZ8DeOcrnCNroG0hus5OpBVJ4rCICO477J3DsFNDj4+EsUr/bsOhmyuZN9LQD
X0AKYaSmyJXBWA0S69FbIjD2lqZsn2dk2Mw7QDy18zxrctruzARPOidGX++i6gyyGPb2
IJLSRUUv+gzYWS+mnovoEHUEm923hZ3a80b0jTwc+wMlclQZVAU3RpH04Q3CxzE6MW4F
mrt4+QdG+x15x3QdaQ//fSKaPyKypH4dkvg9YYegpB+klTa5n83IyXaVj8HKkFk6RFuj
dvZg==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
spf=pass (google.com: domain of dave@dtrt.org designates 2607:fe70:0:3::d as permitted sender) smtp.mailfrom=dave@dtrt.org
Received: from smtpauth.rollernet.us (smtpauth.rollernet.us. [2607:fe70:0:3::d])
by gmr-mx.google.com with ESMTPS id c22-20020a056870b29600b00221c9721f8fsi901828oao.3.2024.03.27.10.18.10
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 27 Mar 2024 10:18:10 -0700 (PDT)
Received-SPF: pass (google.com: domain of dave@dtrt.org designates 2607:fe70:0:3::d as permitted sender) client-ip=2607:fe70:0:3::d;
Received: from smtpauth.rollernet.us (localhost [127.0.0.1])
by smtpauth.rollernet.us (Postfix) with ESMTP id 6721F2800042;
Wed, 27 Mar 2024 10:18:08 -0700 (PDT)
Received: from webmail.rollernet.us (webmail.rollernet.us [IPv6:2607:fe70:0:14::a])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
(Client did not present a certificate)
by smtpauth.rollernet.us (Postfix) with ESMTPSA;
Wed, 27 Mar 2024 10:18:08 -0700 (PDT)
MIME-Version: 1.0
Date: Wed, 27 Mar 2024 07:18:08 -1000
From: "David A. Harding" <dave@dtrt.org>
To: Peter Todd <pete@petertodd.org>
Cc: bitcoindev@googlegroups.com
Subject: Re: [bitcoindev] A Free-Relay Attack Exploiting RBF Rule #6
User-Agent: Roundcube Webmail/1.4.15
Message-ID: <f7fbeb4f58904fc5a24b6fc2d829036c@dtrt.org>
X-Sender: dave@dtrt.org
Content-Type: text/plain; charset="UTF-8"; format=flowed
X-Rollernet-Abuse: Contact abuse@rollernet.us to report. Abuse policy: http://www.rollernet.us/policy
X-Rollernet-Submit: Submit ID 1196.660454d0.3e006.0
X-Original-Sender: dave@dtrt.org
X-Original-Authentication-Results: gmr-mx.google.com; spf=pass
(google.com: domain of dave@dtrt.org designates 2607:fe70:0:3::d as permitted
sender) smtp.mailfrom=dave@dtrt.org
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.8 (/)
On 2024-03-27 02:10, Peter Todd wrote:
> On Tue, Mar 26, 2024 at 08:36:45AM -1000, David A. Harding wrote:
>> Could you tell us more about the disclosure process you followed?
>
> see attached.
Do I correctly infer from this that you privately reported the attack on
Thursday around 15:46 UTC, didn't receive any replies in four days
(including a weekend), and published the attack on Monday at 13:21 UTC?
That's a very short timeline to use for going public due to not
receiving a response. I think it's typical to give triage at least 30
days to respond, often while also prompting them additional times for a
response if necessary.
-Dave
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/f7fbeb4f58904fc5a24b6fc2d829036c%40dtrt.org.
|