1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
|
Return-Path: <cryptaxe@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 13FFB92B
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 10 Sep 2017 23:28:21 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-wm0-f53.google.com (mail-wm0-f53.google.com [74.125.82.53])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 5397320C
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 10 Sep 2017 23:28:20 +0000 (UTC)
Received: by mail-wm0-f53.google.com with SMTP id f199so28539578wme.0
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 10 Sep 2017 16:28:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:in-reply-to:references:from:date:message-id:subject:to
:cc; bh=dlIuYHJwvVKmLiosTNQkWWIQCU4p649kIPY3TOPgxVI=;
b=t0/CsWJW8rmU3HkmP0LapvHoVJsKiqiVroFnhltXgw2JX0WtKReBcO/ZYhwbC7u/Xy
XAUmoaBNXuPYoHJJyBtw2B1mWxCZLVkmPXEkZ/TOpY1ffAqexWzn08XJjJV0Id4JsOVN
VMi2YfL9mNvqQ3SlTQOP0nOqMpF6zwIfl6C/+r9RPP59d2TwpoLGPcXjNNk3fhwFn7/l
wMd7oDpQtCWu9okfPjYQnVNPtEIkU7xxbB0BGJuck8kdClIW8q9bvUJDvl6z8Gb6wh9P
txuG4blmbJ7AM4w0AYDXsETcnwlNOMT8kYRAc5U71RGBYsXanZatod21s4w9H5ApNc7O
X8Og==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:in-reply-to:references:from:date
:message-id:subject:to:cc;
bh=dlIuYHJwvVKmLiosTNQkWWIQCU4p649kIPY3TOPgxVI=;
b=jdCN/XGLiV+f+XPzLq96Dhsbm50jWvqRXyQEIcq7XhIUsZRCafzeoHvycqFPffQ/kL
3jJ+J99TMqtEHSIjuItkDSsjiD1PJ/b/TSop1yPmzZ0xGfqjaeeAVdx3sSkmKihPzDV+
FmbejqxTzemz/muYykioZzDjcOPS6mafZ7mwT4SEwaCidgHwk/qCaluOtoB5rcjp7oXB
LT968ufmwZ/0ee9v627f+dSNwndtato/oo5bXN2Y7byHFq4J/R/wmaL8dufE4pf7sShY
YK2trN9dSFym7SSQnHeUJMaaThEdBOoWAQEy7INs+ggI34G+ewgSoh8zDaaloRSBrahq
1WcQ==
X-Gm-Message-State: AHPjjUj+cGBKYNxly1QFdb6b4NSAo8l1OK/ulc6M6voZGWwyL55gPfnZ
pHFUiREh2O8dPZNa2vPg3vVl67NpRZPhbYYKSB5SvQ==
X-Google-Smtp-Source: AOwi7QDpbW3iQnvcfBlT5gC2tz0/H2MG1U7PeE4VmxZ8ubSPwNX7/UEIk7W8EdcBRlpnywMo3vN/9JBppffMtn21P3Y=
X-Received: by 10.28.155.146 with SMTP id d140mr6556596wme.4.1505086098921;
Sun, 10 Sep 2017 16:28:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.28.187.215 with HTTP; Sun, 10 Sep 2017 16:28:18 -0700 (PDT)
Received: by 10.28.187.215 with HTTP; Sun, 10 Sep 2017 16:28:18 -0700 (PDT)
In-Reply-To: <cb968a34-f8d2-ab61-dd15-9bd282afd18c@mattcorallo.com>
References: <3e4541f3-f65c-5199-5e85-9a65ea5142e7@bitcartel.com>
<cb968a34-f8d2-ab61-dd15-9bd282afd18c@mattcorallo.com>
From: CryptAxe <cryptaxe@gmail.com>
Date: Sun, 10 Sep 2017 16:28:18 -0700
Message-ID: <CAF5CFkifQYnLC4vhLy5EtyFrpk4tAE_VqXobeWBvKEzgegxipw@mail.gmail.com>
To: Matt Corallo <lf-lists@mattcorallo.com>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="001a11454a9e485ea30558de2af7"
X-Spam-Status: No, score=0.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
RCVD_IN_SORBS_SPAM autolearn=disabled version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Sun, 10 Sep 2017 23:29:51 +0000
Subject: Re: [bitcoin-dev] Responsible disclosure of bugs
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Sep 2017 23:28:21 -0000
--001a11454a9e485ea30558de2af7
Content-Type: text/plain; charset="UTF-8"
I don't think we should put any Bitcoin users at additional risk to help
altcoins. If they fork the code they are making maintenance their own
responsibly.
It's hard to disclose a bitcoin vulnerability considering the network is
decentralised and core can't force everyone to update. Maybe a timeout
period for vulnerabilities could be decided. People might be expected to
patched before then at which point the vulnerability can be published. Is
that not already sort of how it works?
On Sep 10, 2017 4:10 PM, "Matt Corallo via bitcoin-dev" <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> I believe there continues to be concern over a number of altcoins which
> are running old, unpatched forks of Bitcoin Core, making it rather
> difficult to disclose issues without putting people at risk (see, eg,
> some of the dos issues which are preventing release of the alert key).
> I'd encourage the list to have a discussion about what reasonable
> approaches could be taken there.
>
> On 09/10/17 18:03, Simon Liu via bitcoin-dev wrote:
> > Hi,
> >
> > Given today's presentation by Chris Jeffrey at the Breaking Bitcoin
> > conference, and the subsequent discussion around responsible disclosure
> > and industry practice, perhaps now would be a good time to discuss
> > "Bitcoin and CVEs" which has gone unanswered for 6 months.
> >
> > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/
> 2017-March/013751.html
> >
> > To quote:
> >
> > "Are there are any vulnerabilities in Bitcoin which have been fixed but
> > not yet publicly disclosed? Is the following list of Bitcoin CVEs
> > up-to-date?
> >
> > https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures
> >
> > There have been no new CVEs posted for almost three years, except for
> > CVE-2015-3641, but there appears to be no information publicly available
> > for that issue:
> >
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3641
> >
> > It would be of great benefit to end users if the community of clients
> > and altcoins derived from Bitcoin Core could be patched for any known
> > vulnerabilities.
> >
> > Does anyone keep track of security related bugs and patches, where the
> > defect severity is similar to those found on the CVE list above? If
> > yes, can that list be shared with other developers?"
> >
> > Best Regards,
> > Simon
> > _______________________________________________
> > bitcoin-dev mailing list
> > bitcoin-dev@lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--001a11454a9e485ea30558de2af7
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"auto">I don't think we should put any Bitcoin users at addi=
tional risk to help altcoins. If they fork the code they are making mainten=
ance their own responsibly.<div dir=3D"auto"><br></div><div dir=3D"auto">It=
's hard to disclose a bitcoin vulnerability considering the network is =
decentralised and core can't force everyone to update. Maybe a timeout =
period for vulnerabilities could be decided. People might be expected to pa=
tched before then at which point the vulnerability can be published. Is tha=
t not already sort of how it works?=C2=A0</div></div><div class=3D"gmail_ex=
tra"><br><div class=3D"gmail_quote">On Sep 10, 2017 4:10 PM, "Matt Cor=
allo via bitcoin-dev" <<a href=3D"mailto:bitcoin-dev@lists.linuxfou=
ndation.org">bitcoin-dev@lists.linuxfoundation.org</a>> wrote:<br type=
=3D"attribution"><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8=
ex;border-left:1px #ccc solid;padding-left:1ex">I believe there continues t=
o be concern over a number of altcoins which<br>
are running old, unpatched forks of Bitcoin Core, making it rather<br>
difficult to disclose issues without putting people at risk (see, eg,<br>
some of the dos issues which are preventing release of the alert key).<br>
I'd encourage the list to have a discussion about what reasonable<br>
approaches could be taken there.<br>
<br>
On 09/10/17 18:03, Simon Liu via bitcoin-dev wrote:<br>
> Hi,<br>
><br>
> Given today's presentation by Chris Jeffrey at the Breaking Bitcoi=
n<br>
> conference, and the subsequent discussion around responsible disclosur=
e<br>
> and industry practice, perhaps now would be a good time to discuss<br>
> "Bitcoin and CVEs" which has gone unanswered for 6 months.<b=
r>
><br>
> <a href=3D"https://lists.linuxfoundation.org/pipermail/bitcoin-dev/201=
7-March/013751.html" rel=3D"noreferrer" target=3D"_blank">https://lists.lin=
uxfoundation.<wbr>org/pipermail/bitcoin-dev/<wbr>2017-March/013751.html</a>=
<br>
><br>
> To quote:<br>
><br>
> "Are there are any vulnerabilities in Bitcoin which have been fix=
ed but<br>
> not yet publicly disclosed?=C2=A0 Is the following list of Bitcoin CVE=
s<br>
> up-to-date?<br>
><br>
> <a href=3D"https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Expos=
ures" rel=3D"noreferrer" target=3D"_blank">https://en.bitcoin.it/wiki/<wbr>=
Common_Vulnerabilities_and_<wbr>Exposures</a><br>
><br>
> There have been no new CVEs posted for almost three years, except for<=
br>
> CVE-2015-3641, but there appears to be no information publicly availab=
le<br>
> for that issue:<br>
><br>
> <a href=3D"https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-3=
641" rel=3D"noreferrer" target=3D"_blank">https://cve.mitre.org/cgi-bin/<wb=
r>cvename.cgi?name=3DCVE-2015-3641</a><br>
><br>
> It would be of great benefit to end users if the community of clients<=
br>
> and altcoins derived from Bitcoin Core could be patched for any known<=
br>
> vulnerabilities.<br>
><br>
> Does anyone keep track of security related bugs and patches, where the=
<br>
> defect severity is similar to those found on the CVE list above?=C2=A0=
If<br>
> yes, can that list be shared with other developers?"<br>
><br>
> Best Regards,<br>
> Simon<br>
> ______________________________<wbr>_________________<br>
> bitcoin-dev mailing list<br>
> <a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@l=
ists.<wbr>linuxfoundation.org</a><br>
> <a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-=
dev" rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.<wb=
r>org/mailman/listinfo/bitcoin-<wbr>dev</a><br>
><br>
______________________________<wbr>_________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.=
<wbr>linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.<wbr>org=
/mailman/listinfo/bitcoin-<wbr>dev</a><br>
</blockquote></div></div>
--001a11454a9e485ea30558de2af7--
|