Delivery-date: Wed, 27 Mar 2024 10:27:16 -0700
Received: from mail-oo1-f58.google.com ([209.85.161.58])
	by mail.fairlystable.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <bitcoindev+bncBDZ3NVEJ5UFBB3NNSGYAMGQELZHZZEY@googlegroups.com>)
	id 1rpX3T-00064o-UB
	for bitcoindev@gnusha.org; Wed, 27 Mar 2024 10:27:16 -0700
Received: by mail-oo1-f58.google.com with SMTP id 006d021491bc7-5a486a8e1fdsf20820eaf.2
        for <bitcoindev@gnusha.org>; Wed, 27 Mar 2024 10:27:15 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1711560430; cv=pass;
        d=google.com; s=arc-20160816;
        b=kOxILt7kQYxICG2CY5pncGOMGQkknbIDsMn6DGvzTMO4m2htyUMSqtldx7UwYSWDCu
         EiwXIAPbFiznvJX7yym34rHrxS1cztYD9LDiXNxKO/GsZtwlwpfGOuZ5KZB2INsQJhO2
         8AATwN6yrAyH6qzUJvczQKTwmhNZ3VcoYK7xQBKQFE45U0EQqVCkFNwYdM5OgzXNAOAH
         3QA5qcmtw7ojw/WEbMAvwXSTEY+oOVg/WWKZdkbgn/OfBa4QjjZciGlehli0ReVBMKT8
         cbaX6cx158wV5BX3HxwyrRtEB4VxkSNibjqztM4zH61JDtvKNid8ehlYq6Tr9JP8cwfp
         3X4A==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:message-id:user-agent:subject:cc:to
         :from:date:mime-version:sender:dkim-signature;
        bh=RyMsHsLj0qVYcdLAT6XWq95eEk697KfgZlDKbWW0Bdo=;
        fh=1RlHc+MYPVx8BEwtXJimz6OflcQmdFj1cO+QFu4CaBo=;
        b=SCuojHoyQqTiiNr5XCSaa9kz5tUdEIzYQR5OeCjcxKKxE4V03+PVTRL6ZqHkOc3CtW
         j3+apw7KMImnGRxC7hNP7Vql6bPqMrJ6viDc8wzKzlY+W3trDTFNFhaDM/jg6Q91UUhS
         KuPM+uCgVe0a17VA+gMF3ow7KaH7so7v9fMdhdfVmw2md8DElHElzTgm7h344DjhPXsI
         Teu8hPL1gUW3b85FURafPrzzBW8+gltZWiVLvj47udsUdw9YeoUUqh1vB4elp99NBPb1
         wvCrivluBhumNI/x6KBhhEnVN6m0K0U+eqoi9L0W/JzteX/6CspvElmE9kIgwNKPk6sE
         U4Zg==;
        darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       spf=pass (google.com: domain of dave@dtrt.org designates 2607:fe70:0:3::d as permitted sender) smtp.mailfrom=dave@dtrt.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1711560430; x=1712165230; darn=gnusha.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-authentication-results
         :x-original-sender:message-id:user-agent:subject:cc:to:from:date
         :mime-version:sender:from:to:cc:subject:date:message-id:reply-to;
        bh=RyMsHsLj0qVYcdLAT6XWq95eEk697KfgZlDKbWW0Bdo=;
        b=u4a8aA5hv+NlSHTiO45ua9Ac1MK5XGgiYxNxekgcvCKUem3Rl0+CRIm4B+VeDyoTtQ
         BjN0MMWPEpaZg3DJDolDKwxr4RGDK18TVBz0dffPyi5dIWLY60X71HNC4jRfL/6JTaMB
         y2KGkMvaUBf6idZj6G7G/8W5QcopkyQ8nLy1OQdq9m+weOEpefwdjXhNWY7z6CwFduZx
         tw+lrec042ePi8AyYo6i4Ovf/Z4BT6DltHEzxMtQ5dhR7827K6xtq9yDokfHxmXi7N44
         Z97APP3dY5mzQrvS0LDcOLDZrqXtGGVhNuSLar3wddHAXPvbWiiaGIvjkwwv1NTmlk8q
         9FQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1711560430; x=1712165230;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-authentication-results
         :x-original-sender:message-id:user-agent:subject:cc:to:from:date
         :mime-version:x-beenthere:x-gm-message-state:sender:from:to:cc
         :subject:date:message-id:reply-to;
        bh=RyMsHsLj0qVYcdLAT6XWq95eEk697KfgZlDKbWW0Bdo=;
        b=UtNjpJw+xiOgwpys7mfOMfdjrSbGui702l44fY0ADnmvMP8C8p9bGf8fg3iYTvAi2l
         nDsrSOynxIKq3c+u9AdOWfRCw7k+IyLalOJAhIs4WKtk2aZReezvfP+eeSJWngCrnJrD
         oabtZZX/gaMGt1MSFuwXVEJJa/jhECU8/L4c4o7NR3wS/7xmGNoiy9KgzsIe6J6NIXCF
         DW2jWD27IHLNjr/tecDe3VqF9HYWvurOMtb5PfsG+Ouj+JBVo6WQ2kaS8vmss0iGFvtK
         ERe+EE3ZmlksBZuiL2zEC624+hCOltUELQN858jOMegoVCVJqihtf7wImqeNjmkuABt3
         FFnQ==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCVIy808igDUd+a+0kJwW1x6+qX8bxvEngokG81HKBC7JGIF9ut5s5e2rweg28Om0YqiyTNcN/j0E6V6YxgJZHkriR8+2dA=
X-Gm-Message-State: AOJu0YxUj8ywjNWiQ9E/6CMzpIqTayfbJbfyKTzWVudUTI5j7Atr/80C
	89IR3nO3N4uD0tfkA6iAZutVt5UUE9s5U02Tqy6OEsl2fdzPQ2j0cNA=
X-Google-Smtp-Source: AGHT+IHhwGhQvlypgFqCLMMLZfGeVH0SE72mqpe7c0jc52zCZfEW5PkEx6CiBNTQSjIXvQ2UJSckMg==
X-Received: by 2002:a05:6820:208:b0:5a1:a7b3:3d0 with SMTP id bw8-20020a056820020800b005a1a7b303d0mr749330oob.4.1711560429903;
        Wed, 27 Mar 2024 10:27:09 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:a4a:b244:0:b0:5a4:c3bf:af31 with SMTP id i4-20020a4ab244000000b005a4c3bfaf31ls178378ooo.0.-pod-prod-08-us;
 Wed, 27 Mar 2024 10:27:09 -0700 (PDT)
X-Received: by 2002:a05:6820:2209:b0:5a3:8bff:3286 with SMTP id cj9-20020a056820220900b005a38bff3286mr5338oob.1.1711560429196;
        Wed, 27 Mar 2024 10:27:09 -0700 (PDT)
Received: by 2002:a05:6808:1288:b0:3c3:d110:85c6 with SMTP id 5614622812f47-3c3de9a8d9fmsb6e;
        Wed, 27 Mar 2024 10:18:12 -0700 (PDT)
X-Received: by 2002:a05:6870:d623:b0:22a:53b5:d5c8 with SMTP id a35-20020a056870d62300b0022a53b5d5c8mr249441oaq.48.1711559891277;
        Wed, 27 Mar 2024 10:18:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1711559891; cv=none;
        d=google.com; s=arc-20160816;
        b=HFG39HEomNiF1qdwZ57lUpiujLplt3QKg5x8jaY5seottlWmOPeYVfqChdIvqVG4Zx
         UI+zJTyBnfFGJ7t93gAYtUtoHoN2udq4MSHIxO/4zwGufWfzPQ4QTHmdPKAJ/8znQBFo
         zRViAReOw6ewHDaaRsES45wEgz1v338Lizpnn1T0k9qHQjGmasaze+iSzke4FKghS1xt
         vToYhhQuInpdq1zVVvfXuZ512mC+naU0uQ1ECBUbp6gVJAtkNYjMJV4wZN7c6S1Ues7E
         liMqGUHftwNsKkKR5mofcVowanQtQsyNz6xAJawgSdsBmVVni+uh52LzIuKbJVhelXCN
         NoaA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:message-id:user-agent:subject:cc:to:from
         :date:mime-version;
        bh=pbVfUA4nVV5XiCHPeZ1tQ9w0u7XpYMirmBZ2nFdqQVs=;
        fh=psWP3UCtCzzPEOUoUzVM9ZZK8adYsTeWDAKCd6L5Zok=;
        b=f+VecAOOu2mf0IeDMdeMBWD0hVe46b3Q67MePH94H0ep4/WH1NRqYs0248W80UVmSN
         GJYLMf3jZ8DeOcrnCNroG0hus5OpBVJ4rCICO477J3DsFNDj4+EsUr/bsOhmyuZN9LQD
         X0AKYaSmyJXBWA0S69FbIjD2lqZsn2dk2Mw7QDy18zxrctruzARPOidGX++i6gyyGPb2
         IJLSRUUv+gzYWS+mnovoEHUEm923hZ3a80b0jTwc+wMlclQZVAU3RpH04Q3CxzE6MW4F
         mrt4+QdG+x15x3QdaQ//fSKaPyKypH4dkvg9YYegpB+klTa5n83IyXaVj8HKkFk6RFuj
         dvZg==;
        dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of dave@dtrt.org designates 2607:fe70:0:3::d as permitted sender) smtp.mailfrom=dave@dtrt.org
Received: from smtpauth.rollernet.us (smtpauth.rollernet.us. [2607:fe70:0:3::d])
        by gmr-mx.google.com with ESMTPS id c22-20020a056870b29600b00221c9721f8fsi901828oao.3.2024.03.27.10.18.10
        for <bitcoindev@googlegroups.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 27 Mar 2024 10:18:10 -0700 (PDT)
Received-SPF: pass (google.com: domain of dave@dtrt.org designates 2607:fe70:0:3::d as permitted sender) client-ip=2607:fe70:0:3::d;
Received: from smtpauth.rollernet.us (localhost [127.0.0.1])
	by smtpauth.rollernet.us (Postfix) with ESMTP id 6721F2800042;
	Wed, 27 Mar 2024 10:18:08 -0700 (PDT)
Received: from webmail.rollernet.us (webmail.rollernet.us [IPv6:2607:fe70:0:14::a])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(Client did not present a certificate)
	by smtpauth.rollernet.us (Postfix) with ESMTPSA;
	Wed, 27 Mar 2024 10:18:08 -0700 (PDT)
MIME-Version: 1.0
Date: Wed, 27 Mar 2024 07:18:08 -1000
From: "David A. Harding" <dave@dtrt.org>
To: Peter Todd <pete@petertodd.org>
Cc: bitcoindev@googlegroups.com
Subject: Re: [bitcoindev] A Free-Relay Attack Exploiting RBF Rule #6
User-Agent: Roundcube Webmail/1.4.15
Message-ID: <f7fbeb4f58904fc5a24b6fc2d829036c@dtrt.org>
X-Sender: dave@dtrt.org
Content-Type: text/plain; charset="UTF-8"; format=flowed
X-Rollernet-Abuse: Contact abuse@rollernet.us to report. Abuse policy: http://www.rollernet.us/policy
X-Rollernet-Submit: Submit ID 1196.660454d0.3e006.0
X-Original-Sender: dave@dtrt.org
X-Original-Authentication-Results: gmr-mx.google.com;       spf=pass
 (google.com: domain of dave@dtrt.org designates 2607:fe70:0:3::d as permitted
 sender) smtp.mailfrom=dave@dtrt.org
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.8 (/)

On 2024-03-27 02:10, Peter Todd wrote:
> On Tue, Mar 26, 2024 at 08:36:45AM -1000, David A. Harding wrote:
>> Could you tell us more about the disclosure process you followed?
> 
> see attached.

Do I correctly infer from this that you privately reported the attack on 
Thursday around 15:46 UTC, didn't receive any replies in four days 
(including a weekend), and published the attack on Monday at 13:21 UTC?

That's a very short timeline to use for going public due to not 
receiving a response.  I think it's typical to give triage at least 30 
days to respond, often while also prompting them additional times for a 
response if necessary.

-Dave

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/f7fbeb4f58904fc5a24b6fc2d829036c%40dtrt.org.