1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
Return-Path: <gmaxwell@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 131C1A81
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 12 Sep 2017 17:57:35 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-ua0-f178.google.com (mail-ua0-f178.google.com
[209.85.217.178])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id DD7481D7
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 12 Sep 2017 17:57:33 +0000 (UTC)
Received: by mail-ua0-f178.google.com with SMTP id s15so15956443uag.1
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 12 Sep 2017 10:57:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:sender:in-reply-to:references:from:date:message-id
:subject:to:cc;
bh=3zwIw6JwumsD1buTfpds9kEw+elboEoLhO8m8EdcCjk=;
b=SNF/xK1nj9Vi4JeQIp6cMU7xxrbn+7pxhmvMLCaq06jK+bmK1PbDxVn8Vyq2Y+G1Dm
5s1UGdMBcYZPhxEA+mHxqP7E5GFA46++e8aq6bjroaa/3lhHbk4l1iQuOytDhAJOy//M
/GdDckYguZgAgjuQtDwnUWMA1kC6X+CwBTOraP5VPURy6qc2JCnW6kaJRE6u28sC5PDZ
6IWlBv4h48hEPxJef2Ff0uV+eR/cH4QdFXEFrwDW4USV73hHQuDWxh0l4Mcr8hk4Yamp
F3KmwDhDhxe5QB0GP5Ab8QTwk7w2bi6u0KbH6O2djZXzbFRMVGmwH/qj1Jz37ea1xchM
y+zA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
:date:message-id:subject:to:cc;
bh=3zwIw6JwumsD1buTfpds9kEw+elboEoLhO8m8EdcCjk=;
b=iDzOICMUShcDcpzaSIr+ZDoRDdDebO1xvY59pVDBUNz098ZaYDhalQnRYYpOXClUOy
gcA11VIoonkqpkkZ6F0C5sFFO+3MyI06SduoTHRjWsaappRPWm90ZHajif74GZ32Vb7T
I8XtCjMhI7vyzWmd4UTmXhFyxqcAFdsHPB8EmnyzI91c7991QLbPj1amJ9US2OHfoyVg
Wi07atc519rI2mAK0pSln2QHrZTnqjJJaAIGo9amb1GDTyIZCKXT2IqFoyVLev+2reGd
nulDTt2f+/FZp13btIbSX3d3Dh69BpPWApCJRH8dg5bRjI6XWPBTJ+oCaAr+D9M9Dq9Z
odDA==
X-Gm-Message-State: AHPjjUj8xQT4OsQkTXGh0R0/JixEf8NXXjqT4Tl1jRep/G4d8KyihGWb
7QQMNg22zJ3zkPD8tYEHNv4fCTlx3w==
X-Google-Smtp-Source: ADKCNb6chX7mO6K7j4Lw7Q/L3kKuJZW2XWDcNbR+7MF15uIsl+2PNM5lybOjP/Sa6G5rw5y5Kl8DAyH0ry+GqDgvxfg=
X-Received: by 10.176.94.89 with SMTP id a25mr11770165uah.109.1505239053031;
Tue, 12 Sep 2017 10:57:33 -0700 (PDT)
MIME-Version: 1.0
Sender: gmaxwell@gmail.com
Received: by 10.103.146.78 with HTTP; Tue, 12 Sep 2017 10:57:32 -0700 (PDT)
In-Reply-To: <CAKzdR-oYQ8EchpJVE56yJbfBgNHihx7WO_gtFtp6QKOcK7uT-w@mail.gmail.com>
References: <3e4541f3-f65c-5199-5e85-9a65ea5142e7@bitcartel.com>
<cb968a34-f8d2-ab61-dd15-9bd282afd18c@mattcorallo.com>
<20170911021506.GA19080@erisian.com.au>
<CAPWm=eVCh2FYp=SpOcZFLqz1ZCq3=Z_F9Sj+EAXFvqU-8aMuTg@mail.gmail.com>
<20170912033703.GD19080@erisian.com.au>
<CAKzdR-oYQ8EchpJVE56yJbfBgNHihx7WO_gtFtp6QKOcK7uT-w@mail.gmail.com>
From: Gregory Maxwell <greg@xiph.org>
Date: Tue, 12 Sep 2017 17:57:32 +0000
X-Google-Sender-Auth: z-1P5qCIPdD2GCn-81T8o1kIaJs
Message-ID: <CAAS2fgRE+0Nv6S8a8-v4U16Sn1Es4LCTvwVZocUSsJ5P7X6VYg@mail.gmail.com>
To: Sergio Demian Lerner <sergio.d.lerner@gmail.com>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=0.5 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
FREEMAIL_FROM, RCVD_IN_DNSWL_NONE, RCVD_IN_SORBS_SPAM autolearn=disabled
version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Subject: Re: [bitcoin-dev] Responsible disclosure of bugs
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Sep 2017 17:57:35 -0000
On Tue, Sep 12, 2017 at 4:49 AM, Sergio Demian Lerner via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org> wrote:
> It also implies that some times a researcher works hard to investigate a
> vulnerability and later he finds out it was previously reported. It also
> means that the researcher cannot report to alt-coins which have a different
> policy.
I agree with your post, but wanted to make a point of clarification on
the use of "can't".
If someone wants to report something to the Bitcoin project we're
obviously at your mercy in how we handle it. If we disagree on the
handling approach we may try to talk you into a different position
based with a rational judgement based on our experience (or, if
justified, advice that we're likely to whine about your approach in
public). But if you still want to go also report a common issue to
something else with a different approach then you can. Even our
ire/whining can be avoided by a sincere effort to communicate and give
us an opportunity to mitigate harm.
That said, as mentioned, we'd encourage otherwise for issues that
warrant it-- and I think with cause enough that the reporter will
agree. So that is a different kind of "cant". :)
In Bitcoin the overwhelming majority of serious issues we've
encountered have been found by people I'd consider 'inside the
project' (frequent regular contributors who aren't seriously involved
in other things). That hasn't been so obviously the case for other
open source projects that I've been involved with; but Bitcoin is
pretty good from a basic security perspective and finding additional
issues often requires specialized experience that few people outside
of the project regulars have (though some, like Sergio, clearly do).
I know through direct experience that both Mozilla and the Chrome
project fix _serious_ (like RCE bugs) issues based on internal
discoveries which they do not make public (apparently ever), though
they may coordinate with distributors on some of them. (Some of
these experiences are also why I give the advice that you should not
consider any computer which has ever run a web browser to be strongly
secure...)
|
