Return-Path: Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 7D521C002D for ; Fri, 19 Aug 2022 03:09:59 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 43B4141C06 for ; Fri, 19 Aug 2022 03:09:59 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 43B4141C06 X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H_pq7Z8rwBI4 for ; Fri, 19 Aug 2022 03:09:58 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org D31F841B95 Received: from azure.erisian.com.au (azure.erisian.com.au [172.104.61.193]) by smtp4.osuosl.org (Postfix) with ESMTPS id D31F841B95 for ; Fri, 19 Aug 2022 03:09:57 +0000 (UTC) Received: from aj@azure.erisian.com.au (helo=sapphire.erisian.com.au) by azure.erisian.com.au with esmtpsa (Exim 4.92 #3 (Debian)) id 1oOsOO-0002wF-1p; Fri, 19 Aug 2022 13:09:54 +1000 Received: by sapphire.erisian.com.au (sSMTP sendmail emulation); Fri, 19 Aug 2022 13:09:46 +1000 Date: Fri, 19 Aug 2022 13:09:46 +1000 From: Anthony Towns To: Prayank , Bitcoin Protocol Discussion Message-ID: References: <202110032133.44726.luke@dashjr.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Score-int: -18 X-Spam-Bar: - Subject: Re: [bitcoin-dev] Mock introducing vulnerability in important Bitcoin projects X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Aug 2022 03:09:59 -0000 On Thu, Nov 18, 2021 at 09:29:24PM +0100, Prayank via bitcoin-dev wrote: > After reading all the emails, personally experiencing review process especially on important issues like privacy and security, re-evaluating everything and considering the time I can spend on this, I have decided to do this exercise for 3 projects with just 1 account. I have created a salted hash for the username as you had mentioned in the first email: > f40bcb13dbcbf7b6245becb757777586c22798ed7360cd9853572152ddf07a39 > 3 Bitcoin projects are Bitcoin Core (full node implementation), LND (LN implementation) and Bisq (DEX). > Pull requests will be created in next 6 months. If vulnerability gets caught during review, will publicly announce here that the project caught the PR and reveal the de-commitment publicly. If not caught during review, will privately reveal both the inserted vulnerability and the review failure via the normal private vulnerability-reporting channels. A summary with all the details will be shared later. It's now been nine months since this email, but I don't believe there's been any public report on this exercise. Does this mean that a vulnerability has been introduced in one or all of the named projects? Cheers, aj