Return-Path: Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id AE907C002A for ; Tue, 23 May 2023 16:18:11 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 7BF7483CAB for ; Tue, 23 May 2023 16:18:11 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 7BF7483CAB Authentication-Results: smtp1.osuosl.org; dkim=pass (2048-bit key) header.d=protonmail.com header.i=@protonmail.com header.a=rsa-sha256 header.s=protonmail3 header.b=E0b/Z1u/ X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.102 X-Spam-Level: X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8cSATVzcUOda for ; Tue, 23 May 2023 16:18:10 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 1D4A783CA7 Received: from mail-4316.protonmail.ch (mail-4316.protonmail.ch [185.70.43.16]) by smtp1.osuosl.org (Postfix) with ESMTPS id 1D4A783CA7 for ; Tue, 23 May 2023 16:18:09 +0000 (UTC) Date: Tue, 23 May 2023 16:17:55 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1684858687; x=1685117887; bh=qD8Qb5R9+qH9eKDr5xeC563AZJ79QfQZ1wi1l/QtpoI=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=E0b/Z1u/rPyyhYlJthZxxkQEaElhOnBAQKxxUTzygg03oEgDNY1YwZSsMJ2lUmFwM 3ayoJgxCIL0SaH7zOsgSLeJBUXdzO7yNDJPyapK054OHI8aWYAyPbq1czAPAEGsZLI d9dlDSXvf0xbvVUiOPhZ+JS7j5qTuw626mLDqRnEPNcKuDgFF8c+iP3+wcpcYT5nCj CxuMoOfBXH9rmHs/uCL74fdT0YgeGkUgkXE1npR+hCvmpYtnmRlJgx7rdnOcJofCAy Pf+OkKyu1acjmNRqhypL0Jarukp4iHqFErUuIm3CDMHSHzsZWn8hsfiSACaAebeW50 9BVK/mF3PpMBw== To: alicexbt From: Michael Folkson Message-ID: In-Reply-To: References: <73TDuUxE1bU1oorFgqmS9MKA_hQz8W_IdSR9zJK1Fwkp5qfU7eqmA75QMddrME9iwrLmTkB7qLgf94o4c4NT1OgHe2QD_BeWvjZvDmLT6dg=@protonmail.com> Feedback-ID: 27732268:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Tue, 23 May 2023 16:37:29 +0000 Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Responsible disclosures and Bitcoin development X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 May 2023 16:18:11 -0000 Hi alicexbt > It has been assigned CVE-2023-33297 Did you personally request the CVE ID? Say via here [0]? Did you confirm wi= th someone listed on the vulnerability reporting process [1] for Bitcoin Co= re that it made sense to do that at this time? I'm not sure whether complet= ely bypassing that list and requesting CVE IDs for the project as an indivi= dual is the way to go. If you have already contacted one of them and they'v= e given you the go ahead to start the CVE process then fine. You weren't pa= rticularly clear with what has occurred. Thanks Michael [0]: https://cve.mitre.org/cve/request_id.html [1]: https://github.com/bitcoin/bitcoin/blob/master/SECURITY.md -- Michael Folkson Email: michaelfolkson at protonmail.com GPG: A2CF5D71603C92010659818D2A75D601B23FEE0F Learn about Bitcoin: https://www.youtube.com/@portofbitcoin ------- Original Message ------- On Monday, May 22nd, 2023 at 13:56, alicexbt wrot= e: > Hi Michael, >=20 > > Now that's not to say you may not have a point about better documentati= on and guidance on what should go through the vulnerability reporting proce= ss and what shouldn't. >=20 >=20 > Yes, this can be improved. >=20 > > Or even that this particular issue could ultimately end up being classe= d a CVE. >=20 >=20 > It has been assigned CVE-2023-33297 >=20 >=20 > /dev/fd0 > floppy disk guy >=20 > Sent with Proton Mail secure email. >=20 > ------- Original Message ------- > On Wednesday, May 17th, 2023 at 6:14 PM, Michael Folkson michaelfolkson@p= rotonmail.com wrote: >=20 >=20 >=20 > > Hi alicexbt > >=20 > > "Open source" has the word "open" in it. Pushing everything into closed= , private channels of communication and select groups of individuals is wha= t I've been trying to push back upon. As I said in my initial response "it = doesn't scale for all bug reports and investigations to go through this tin= y funnel" though "there are clearly examples where the process is criticall= y needed". > >=20 > > Now that's not to say you may not have a point about better documentati= on and guidance on what should go through the vulnerability reporting proce= ss and what shouldn't. Or even that this particular issue could ultimately = end up being classed a CVE. But rather than merely complaining and putting = "open source" into quote marks perhaps suggest what class of bug reports sh= ould go through the tiny funnel and what shouldn't. Unless you think everyt= hing should go through the funnel in which case you are advocating for less= openness whilst simultaneously complaining it isn't "open source". Square = that circle. > >=20 > > Thanks > > Michael > >=20 > > -- > > Michael Folkson > > Email: michaelfolkson at protonmail.com > > GPG: A2CF5D71603C92010659818D2A75D601B23FEE0F > >=20 > > Learn about Bitcoin: https://www.youtube.com/@portofbitcoin > >=20 > > ------- Original Message ------- > > On Tuesday, May 16th, 2023 at 23:39, alicexbt alicexbt@protonmail.com w= rote: > >=20 > > > Hi Michael, > > >=20 > > > A disagreement and some thoughts already shared in an email although = its not clear to some "open source" devs: > > >=20 > > > Impact of this vulnerability: > > >=20 > > > - Denial of Service > > > - Stale blocks affecting mining pool revenue > > >=20 > > > Why it should have been reported privately to security@bitcoincore.or= g, even if initially found affecting only debug build? > > >=20 > > > Example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2021-31= 29 > > >=20 > > > CVE is a different process and I am aware of it. It would be good for= certain developers in the core team to reflect on their own approach to se= curity, regardless of whether their work receives CVE recognition or not. > > >=20 > > > /dev/fd0 > > > floppy disk guy > > >=20 > > > Sent with Proton Mail secure email. > > >=20 > > > ------- Original Message ------- > > > On Friday, May 12th, 2023 at 1:14 AM, Michael Folkson michaelfolkson@= protonmail.com wrote: > > >=20 > > > > Hi alicexbt > > > >=20 > > > > The vulnerability reporting process requires communication and reso= lution via a small group of individuals 0 rather than through open collabor= ation between any contributors on the repo. There are clearly examples wher= e the process is critically needed, the most obvious past example being the= 2018 inflation bug 1. However, it doesn't scale for all bug reports and in= vestigations to go through this tiny funnel. For an issue that isn't going = to result in loss of onchain funds and doesn't seem to present a systemic i= ssue (e.g. network DoS attack, inflation bug) I'm of the view that opening = a public issue was appropriate in this case especially as the issue initial= ly assumed it was only impacting nodes running in debug mode (not a mode a = node in production is likely to be running in). > > > >=20 > > > > An interesting question though and I'm certainly happy to be correc= ted by those who have been investigating the issue. Some delicate trade-off= s involved including understanding and resolving the issue faster through w= ider collaboration versus keeping knowledge of the issue within a smaller g= roup. > > > >=20 > > > > Thanks > > > > Michael > > > >=20 > > > > -- > > > > Michael Folkson > > > > Email: michaelfolkson at protonmail.com > > > > GPG: A2CF5D71603C92010659818D2A75D601B23FEE0F > > > >=20 > > > > Learn about Bitcoin: https://www.youtube.com/@portofbitcoin > > > >=20 > > > > ------- Original Message ------- > > > > On Tuesday, May 9th, 2023 at 03:47, alicexbt via bitcoin-dev bitcoi= n-dev@lists.linuxfoundation.org wrote: > > > >=20 > > > > > Hi Bitcoin Developers, > > > > >=20 > > > > > There is an open issue in bitcoin core repository which was creat= ed last week: https://github.com/bitcoin/bitcoin/issues/27586 > > > > >=20 > > > > > I think this should have been reported privately as vulnerability= instead of creating a GitHub issue even if it worked only in debug mode. S= ome users in the comments have also experienced similar issues without debu= g build used for bitcoind. I have not noticed any decline in the number of = listening nodes on bitnodes.io in last 24 hours so I am assuming this is no= t an issue with majority of bitcoin core nodes. However, things could have = been worse and there is nothing wrong in reporting something privately if t= here is even 1% possibility of it being a vulnerability. I had recently rep= orted something to LND security team based on a closed issue on GitHub whic= h eventually was not considered a vulnerability: https://github.com/lightni= ngnetwork/lnd/issues/7449 > > > > >=20 > > > > > In the CPU usage issue, maybe the users can run bitcoind with big= ger mempool or try other things shared in the issue by everyone. > > > > >=20 > > > > > This isn't the first time either when vulnerability was reported = publicly: https://gist.github.com/chjj/4ff628f3a0d42823a90edf47340f0db9 and= this was even exploited on mainnet which affected some projects. > > > > >=20 > > > > > This email is just a request to consider the impact of any vulner= ability if gets exploited could affect lot of things. Even the projects wit= h no financial activity involved follow better practices. > > > > >=20 > > > > > /dev/fd0 > > > > > floppy disk guy > > > > >=20 > > > > > Sent with Proton Mail secure email.