Return-Path: Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id CAA83C002A for ; Mon, 22 May 2023 12:56:28 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id AD53E4177B for ; Mon, 22 May 2023 12:56:28 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org AD53E4177B Authentication-Results: smtp4.osuosl.org; dkim=pass (2048-bit key) header.d=protonmail.com header.i=@protonmail.com header.a=rsa-sha256 header.s=protonmail3 header.b=tUmbQioO X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.102 X-Spam-Level: X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4NWDoZiu4Ppx for ; Mon, 22 May 2023 12:56:27 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 33D3041578 Received: from mail-4318.protonmail.ch (mail-4318.protonmail.ch [185.70.43.18]) by smtp4.osuosl.org (Postfix) with ESMTPS id 33D3041578 for ; Mon, 22 May 2023 12:56:27 +0000 (UTC) Date: Mon, 22 May 2023 12:56:13 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1684760184; x=1685019384; bh=vobhwOQll9xZ45NbzBJHBFzUCtRRQ04+w+56sIhW+J0=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=tUmbQioO6VQsERwBddNYoCNGmNOK6gEktM5cQrAVn9UNYbz2ome+w9itpr2pd0lXf rnZDDpupW8O8jZAb489KQnGoVSjNVauN3xSXKgvppA6WDyIm20UKw+ht7rj7DCz7YX 9xnpb+OzWll3ZEL+JilJfm8QMOpaM9s9yPlPDbbfGb8Er/WccMdO343YHoeLWIunZv TyZ1IDCO8H2298WzUygk1YbD00h4L/DDmpzj3o8mo64S2C2AnUmtfDxve65Tjm1SFx brfcVAg7bP2TqZ8m35/dPQAGjpV8Rze5l+jcTCJ33llYkoL99Z2A8V8n+JZ7kuD7ul 1hxPwJ9hM37FA== To: Michael Folkson From: alicexbt Message-ID: In-Reply-To: References: <73TDuUxE1bU1oorFgqmS9MKA_hQz8W_IdSR9zJK1Fwkp5qfU7eqmA75QMddrME9iwrLmTkB7qLgf94o4c4NT1OgHe2QD_BeWvjZvDmLT6dg=@protonmail.com> Feedback-ID: 40602938:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Mon, 22 May 2023 22:12:08 +0000 Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Responsible disclosures and Bitcoin development X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 May 2023 12:56:29 -0000 Hi Michael, > Now that's not to say you may not have a point about better documentation= and guidance on what should go through the vulnerability reporting process= and what shouldn't. Yes, this can be improved. > Or even that this particular issue could ultimately end up being classed = a CVE. It has been assigned CVE-2023-33297 /dev/fd0 floppy disk guy Sent with Proton Mail secure email. ------- Original Message ------- On Wednesday, May 17th, 2023 at 6:14 PM, Michael Folkson wrote: > Hi alicexbt >=20 > "Open source" has the word "open" in it. Pushing everything into closed, = private channels of communication and select groups of individuals is what = I've been trying to push back upon. As I said in my initial response "it do= esn't scale for all bug reports and investigations to go through this tiny = funnel" though "there are clearly examples where the process is critically = needed". >=20 >=20 > Now that's not to say you may not have a point about better documentation= and guidance on what should go through the vulnerability reporting process= and what shouldn't. Or even that this particular issue could ultimately en= d up being classed a CVE. But rather than merely complaining and putting "o= pen source" into quote marks perhaps suggest what class of bug reports shou= ld go through the tiny funnel and what shouldn't. Unless you think everythi= ng should go through the funnel in which case you are advocating for less o= penness whilst simultaneously complaining it isn't "open source". Square th= at circle. >=20 >=20 > Thanks > Michael >=20 > -- > Michael Folkson > Email: michaelfolkson at protonmail.com > GPG: A2CF5D71603C92010659818D2A75D601B23FEE0F >=20 >=20 > Learn about Bitcoin: https://www.youtube.com/@portofbitcoin >=20 >=20 > ------- Original Message ------- > On Tuesday, May 16th, 2023 at 23:39, alicexbt w= rote: >=20 >=20 > > Hi Michael, > >=20 > > A disagreement and some thoughts already shared in an email although it= s not clear to some "open source" devs: > >=20 > > Impact of this vulnerability: > >=20 > > - Denial of Service > > - Stale blocks affecting mining pool revenue > >=20 > > Why it should have been reported privately to security@bitcoincore.org,= even if initially found affecting only debug build? > >=20 > >=20 > > Example:=C2=A0https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2021= -3129 > >=20 > >=20 > > CVE is a different process=C2=A0and I am aware of it.=C2=A0It would be = good for certain developers in the core team to reflect on their own approa= ch to security, regardless of whether their work receives CVE recognition o= r not. > >=20 > > /dev/fd0 > > floppy disk guy > >=20 > >=20 > > Sent with Proton Mail secure email. > >=20 > > ------- Original Message ------- > > On Friday, May 12th, 2023 at 1:14 AM, Michael Folkson wrote: > >=20 > >=20 > > > Hi alicexbt > > >=20 > > > The vulnerability reporting process requires communication and resolu= tion via a small group of individuals [0] rather than through open collabor= ation between any contributors on the repo. There are clearly examples wher= e the process is critically needed, the most obvious past example being the= 2018 inflation bug [1]. However, it doesn't scale for all bug reports and = investigations to go through this tiny funnel. For an issue that isn't goin= g to result in loss of onchain funds and doesn't seem to present a systemic= issue (e.g. network DoS attack, inflation bug) I'm of the view that openin= g a public issue was appropriate in this case especially as the issue initi= ally assumed it was only impacting nodes running in debug mode (not a mode = a node in production is likely to be running in). > > >=20 > > > An interesting question though and I'm certainly happy to be correcte= d by those who have been investigating the issue. Some delicate trade-offs = involved including understanding and resolving the issue faster through wid= er collaboration versus keeping knowledge of the issue within a smaller gro= up. > > >=20 > > > Thanks > > > Michael > > >=20 > > > [0]:=C2=A0https://github.com/bitcoin/bitcoin/blob/master/SECURITY.md > > > [1]:=C2=A0https://bitcoincore.org/en/2018/09/20/notice/ > > >=20 > > > -- > > > Michael Folkson > > > Email: michaelfolkson at protonmail.com > > > GPG: A2CF5D71603C92010659818D2A75D601B23FEE0F > > >=20 > > >=20 > > > Learn about Bitcoin: https://www.youtube.com/@portofbitcoin > > >=20 > > >=20 > > > ------- Original Message ------- > > > On Tuesday, May 9th, 2023 at 03:47, alicexbt via bitcoin-dev wrote: > > >=20 > > >=20 > > > > Hi Bitcoin Developers, > > > >=20 > > > > There is an open issue in bitcoin core repository which was created= last week:=C2=A0https://github.com/bitcoin/bitcoin/issues/27586 > > > >=20 > > > > I think this should have been reported privately as vulnerability i= nstead of creating a GitHub issue even if it worked only in debug mode. Som= e users in the comments have also experienced similar issues without debug = build used for bitcoind. I have not noticed any decline in the number of li= stening nodes on bitnodes.io in last 24 hours so I am assuming this is not = an issue with majority of bitcoin core nodes. However, things could have be= en worse and there is nothing wrong in reporting something privately if the= re is even 1% possibility of it being a vulnerability. I had recently repor= ted something to LND security team based on a closed issue on GitHub which = eventually was not considered a vulnerability:=C2=A0https://github.com/ligh= tningnetwork/lnd/issues/7449=C2=A0 > > > >=20 > > > > In the CPU usage issue, maybe the users can run bitcoind with bigge= r mempool or try other things shared in the issue by everyone. > > > >=20 > > > > This isn't the first time either when vulnerability was reported pu= blicly:=C2=A0https://gist.github.com/chjj/4ff628f3a0d42823a90edf47340f0db9= =C2=A0and this was even exploited on mainnet which affected some projects. > > > >=20 > > > >=20 > > > > This email is just a request to consider the impact of any vulnerab= ility if gets exploited could affect lot of things. Even the projects with = no financial activity involved follow better practices. > > > >=20 > > > > /dev/fd0 > > > > floppy disk guy=C2=A0 > > > >=20 > > > >=20 > > > > Sent with Proton Mail secure email.