MIME-Version: 1.0
In-Reply-To: <cb968a34-f8d2-ab61-dd15-9bd282afd18c@mattcorallo.com>
References: <3e4541f3-f65c-5199-5e85-9a65ea5142e7@bitcartel.com>
	<cb968a34-f8d2-ab61-dd15-9bd282afd18c@mattcorallo.com>
From: CryptAxe <cryptaxe@gmail.com>
Date: Sun, 10 Sep 2017 16:28:18 -0700
Message-ID: <CAF5CFkifQYnLC4vhLy5EtyFrpk4tAE_VqXobeWBvKEzgegxipw@mail.gmail.com>
To: Matt Corallo <lf-lists@mattcorallo.com>, 
	Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="001a11454a9e485ea30558de2af7"
Subject: Re: [bitcoin-dev] Responsible disclosure of bugs
Precedence: list

--001a11454a9e485ea30558de2af7
Content-Type: text/plain; charset="UTF-8"

I don't think we should put any Bitcoin users at additional risk to help
altcoins. If they fork the code they are making maintenance their own
responsibly.

It's hard to disclose a bitcoin vulnerability considering the network is
decentralised and core can't force everyone to update. Maybe a timeout
period for vulnerabilities could be decided. People might be expected to
patched before then at which point the vulnerability can be published. Is
that not already sort of how it works?

On Sep 10, 2017 4:10 PM, "Matt Corallo via bitcoin-dev" <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> I believe there continues to be concern over a number of altcoins which
> are running old, unpatched forks of Bitcoin Core, making it rather
> difficult to disclose issues without putting people at risk (see, eg,
> some of the dos issues which are preventing release of the alert key).
> I'd encourage the list to have a discussion about what reasonable
> approaches could be taken there.
>
> On 09/10/17 18:03, Simon Liu via bitcoin-dev wrote:
> > Hi,
> >
> > Given today's presentation by Chris Jeffrey at the Breaking Bitcoin
> > conference, and the subsequent discussion around responsible disclosure
> > and industry practice, perhaps now would be a good time to discuss
> > "Bitcoin and CVEs" which has gone unanswered for 6 months.
> >
> > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/
> 2017-March/013751.html
> >
> > To quote:
> >
> > "Are there are any vulnerabilities in Bitcoin which have been fixed but
> > not yet publicly disclosed?  Is the following list of Bitcoin CVEs
> > up-to-date?
> >
> > https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures
> >
> > There have been no new CVEs posted for almost three years, except for
> > CVE-2015-3641, but there appears to be no information publicly available
> > for that issue:
> >
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3641
> >
> > It would be of great benefit to end users if the community of clients
> > and altcoins derived from Bitcoin Core could be patched for any known
> > vulnerabilities.
> >
> > Does anyone keep track of security related bugs and patches, where the
> > defect severity is similar to those found on the CVE list above?  If
> > yes, can that list be shared with other developers?"
> >
> > Best Regards,
> > Simon
> > _______________________________________________
> > bitcoin-dev mailing list
> > bitcoin-dev@lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>

--001a11454a9e485ea30558de2af7
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto">I don&#39;t think we should put any Bitcoin users at addi=
tional risk to help altcoins. If they fork the code they are making mainten=
ance their own responsibly.<div dir=3D"auto"><br></div><div dir=3D"auto">It=
&#39;s hard to disclose a bitcoin vulnerability considering the network is =
decentralised and core can&#39;t force everyone to update. Maybe a timeout =
period for vulnerabilities could be decided. People might be expected to pa=
tched before then at which point the vulnerability can be published. Is tha=
t not already sort of how it works?=C2=A0</div></div><div class=3D"gmail_ex=
tra"><br><div class=3D"gmail_quote">On Sep 10, 2017 4:10 PM, &quot;Matt Cor=
allo via bitcoin-dev&quot; &lt;<a href=3D"mailto:bitcoin-dev@lists.linuxfou=
ndation.org">bitcoin-dev@lists.linuxfoundation.org</a>&gt; wrote:<br type=
=3D"attribution"><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8=
ex;border-left:1px #ccc solid;padding-left:1ex">I believe there continues t=
o be concern over a number of altcoins which<br>
are running old, unpatched forks of Bitcoin Core, making it rather<br>
difficult to disclose issues without putting people at risk (see, eg,<br>
some of the dos issues which are preventing release of the alert key).<br>
I&#39;d encourage the list to have a discussion about what reasonable<br>
approaches could be taken there.<br>
<br>
On 09/10/17 18:03, Simon Liu via bitcoin-dev wrote:<br>
&gt; Hi,<br>
&gt;<br>
&gt; Given today&#39;s presentation by Chris Jeffrey at the Breaking Bitcoi=
n<br>
&gt; conference, and the subsequent discussion around responsible disclosur=
e<br>
&gt; and industry practice, perhaps now would be a good time to discuss<br>
&gt; &quot;Bitcoin and CVEs&quot; which has gone unanswered for 6 months.<b=
r>
&gt;<br>
&gt; <a href=3D"https://lists.linuxfoundation.org/pipermail/bitcoin-dev/201=
7-March/013751.html" rel=3D"noreferrer" target=3D"_blank">https://lists.lin=
uxfoundation.<wbr>org/pipermail/bitcoin-dev/<wbr>2017-March/013751.html</a>=
<br>
&gt;<br>
&gt; To quote:<br>
&gt;<br>
&gt; &quot;Are there are any vulnerabilities in Bitcoin which have been fix=
ed but<br>
&gt; not yet publicly disclosed?=C2=A0 Is the following list of Bitcoin CVE=
s<br>
&gt; up-to-date?<br>
&gt;<br>
&gt; <a href=3D"https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Expos=
ures" rel=3D"noreferrer" target=3D"_blank">https://en.bitcoin.it/wiki/<wbr>=
Common_Vulnerabilities_and_<wbr>Exposures</a><br>
&gt;<br>
&gt; There have been no new CVEs posted for almost three years, except for<=
br>
&gt; CVE-2015-3641, but there appears to be no information publicly availab=
le<br>
&gt; for that issue:<br>
&gt;<br>
&gt; <a href=3D"https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-3=
641" rel=3D"noreferrer" target=3D"_blank">https://cve.mitre.org/cgi-bin/<wb=
r>cvename.cgi?name=3DCVE-2015-3641</a><br>
&gt;<br>
&gt; It would be of great benefit to end users if the community of clients<=
br>
&gt; and altcoins derived from Bitcoin Core could be patched for any known<=
br>
&gt; vulnerabilities.<br>
&gt;<br>
&gt; Does anyone keep track of security related bugs and patches, where the=
<br>
&gt; defect severity is similar to those found on the CVE list above?=C2=A0=
 If<br>
&gt; yes, can that list be shared with other developers?&quot;<br>
&gt;<br>
&gt; Best Regards,<br>
&gt; Simon<br>
&gt; ______________________________<wbr>_________________<br>
&gt; bitcoin-dev mailing list<br>
&gt; <a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@l=
ists.<wbr>linuxfoundation.org</a><br>
&gt; <a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-=
dev" rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.<wb=
r>org/mailman/listinfo/bitcoin-<wbr>dev</a><br>
&gt;<br>
______________________________<wbr>_________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.=
<wbr>linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.<wbr>org=
/mailman/listinfo/bitcoin-<wbr>dev</a><br>
</blockquote></div></div>

--001a11454a9e485ea30558de2af7--