path: root/e3/7eeb463afdba9ad6eebca1bd2a1132de11b0df

Return-Path: <michaelfolkson@protonmail.com>
Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])
 by lists.linuxfoundation.org (Postfix) with ESMTP id AE907C002A
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 23 May 2023 16:18:11 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp1.osuosl.org (Postfix) with ESMTP id 7BF7483CAB
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 23 May 2023 16:18:11 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 7BF7483CAB
Authentication-Results: smtp1.osuosl.org;
 dkim=pass (2048-bit key) header.d=protonmail.com header.i=@protonmail.com
 header.a=rsa-sha256 header.s=protonmail3 header.b=E0b/Z1u/
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level: 
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
 autolearn=ham autolearn_force=no
Received: from smtp1.osuosl.org ([127.0.0.1])
 by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 8cSATVzcUOda
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 23 May 2023 16:18:10 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 1D4A783CA7
Received: from mail-4316.protonmail.ch (mail-4316.protonmail.ch [185.70.43.16])
 by smtp1.osuosl.org (Postfix) with ESMTPS id 1D4A783CA7
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 23 May 2023 16:18:09 +0000 (UTC)
Date: Tue, 23 May 2023 16:17:55 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail3; t=1684858687; x=1685117887;
 bh=qD8Qb5R9+qH9eKDr5xeC563AZJ79QfQZ1wi1l/QtpoI=;
 h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References:
 Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID:
 Message-ID:BIMI-Selector;
 b=E0b/Z1u/rPyyhYlJthZxxkQEaElhOnBAQKxxUTzygg03oEgDNY1YwZSsMJ2lUmFwM
 3ayoJgxCIL0SaH7zOsgSLeJBUXdzO7yNDJPyapK054OHI8aWYAyPbq1czAPAEGsZLI
 d9dlDSXvf0xbvVUiOPhZ+JS7j5qTuw626mLDqRnEPNcKuDgFF8c+iP3+wcpcYT5nCj
 CxuMoOfBXH9rmHs/uCL74fdT0YgeGkUgkXE1npR+hCvmpYtnmRlJgx7rdnOcJofCAy
 Pf+OkKyu1acjmNRqhypL0Jarukp4iHqFErUuIm3CDMHSHzsZWn8hsfiSACaAebeW50
 9BVK/mF3PpMBw==
To: alicexbt <alicexbt@protonmail.com>
From: Michael Folkson <michaelfolkson@protonmail.com>
Message-ID: <ZK1WioZUQp4XKBw9a8RxvLRRtlxsnQ8NoZ5SPIbcMVqeW3D9bpnLeJF2V4L68jz3QVaaqYiBbo46Rxobs8hZ9LfK3Jxibi1HHKBgQiqbCUs=@protonmail.com>
In-Reply-To: <yCRGs9ve5782SDi1mdGMA1x1jOeJzBkfsWJxtFD3gcrPHI7WW2Ah3Qn9_Z1f17pGFAfC4DIx8fnLUMggrRdq0kfYRlJxpgLt_qJ7wSVC9t0=@protonmail.com>
References: <73TDuUxE1bU1oorFgqmS9MKA_hQz8W_IdSR9zJK1Fwkp5qfU7eqmA75QMddrME9iwrLmTkB7qLgf94o4c4NT1OgHe2QD_BeWvjZvDmLT6dg=@protonmail.com>
 <I_QFh8MNIEz819n0dEitgXPmS5jfrYkOxTZoo211l1grYmW3yrDYxkso9XSrqLS26WJVXj0LAIpYe77DwWs7sXClVjz_Oz-lQiOV3Hn1U2Y=@protonmail.com>
 <k95MsgwJmus2shEQ3XcON4sPN2jpvN0NOiVuIUk27H-gQno3iH4XEMH_nyaKzUuCM8KKt63qM8cph6Eai7fCgWRxfTdYnKdfVw0i2NZTTf0=@protonmail.com>
 <v7cGm-OTbNjvVuGJ8xMe1pOiBwVH1BZkJMS6DjcK5j9kMHmeCRhKrpbglugLPjyUQmDSzIXNxGz4k-kK4sjkIHgWrbaiO_93qauVKSJzZmY=@protonmail.com>
 <yCRGs9ve5782SDi1mdGMA1x1jOeJzBkfsWJxtFD3gcrPHI7WW2Ah3Qn9_Z1f17pGFAfC4DIx8fnLUMggrRdq0kfYRlJxpgLt_qJ7wSVC9t0=@protonmail.com>
Feedback-ID: 27732268:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Tue, 23 May 2023 16:37:29 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Responsible disclosures and Bitcoin development
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2023 16:18:11 -0000

Hi alicexbt

> It has been assigned CVE-2023-33297

Did you personally request the CVE ID? Say via here [0]? Did you confirm wi=
th someone listed on the vulnerability reporting process [1] for Bitcoin Co=
re that it made sense to do that at this time? I'm not sure whether complet=
ely bypassing that list and requesting CVE IDs for the project as an indivi=
dual is the way to go. If you have already contacted one of them and they'v=
e given you the go ahead to start the CVE process then fine. You weren't pa=
rticularly clear with what has occurred.

Thanks
Michael

[0]: https://cve.mitre.org/cve/request_id.html
[1]: https://github.com/bitcoin/bitcoin/blob/master/SECURITY.md

--
Michael Folkson
Email: michaelfolkson at protonmail.com
GPG: A2CF5D71603C92010659818D2A75D601B23FEE0F


Learn about Bitcoin: https://www.youtube.com/@portofbitcoin


------- Original Message -------
On Monday, May 22nd, 2023 at 13:56, alicexbt <alicexbt@protonmail.com> wrot=
e:


> Hi Michael,
>=20
> > Now that's not to say you may not have a point about better documentati=
on and guidance on what should go through the vulnerability reporting proce=
ss and what shouldn't.
>=20
>=20
> Yes, this can be improved.
>=20
> > Or even that this particular issue could ultimately end up being classe=
d a CVE.
>=20
>=20
> It has been assigned CVE-2023-33297
>=20
>=20
> /dev/fd0
> floppy disk guy
>=20
> Sent with Proton Mail secure email.
>=20
> ------- Original Message -------
> On Wednesday, May 17th, 2023 at 6:14 PM, Michael Folkson michaelfolkson@p=
rotonmail.com wrote:
>=20
>=20
>=20
> > Hi alicexbt
> >=20
> > "Open source" has the word "open" in it. Pushing everything into closed=
, private channels of communication and select groups of individuals is wha=
t I've been trying to push back upon. As I said in my initial response "it =
doesn't scale for all bug reports and investigations to go through this tin=
y funnel" though "there are clearly examples where the process is criticall=
y needed".
> >=20
> > Now that's not to say you may not have a point about better documentati=
on and guidance on what should go through the vulnerability reporting proce=
ss and what shouldn't. Or even that this particular issue could ultimately =
end up being classed a CVE. But rather than merely complaining and putting =
"open source" into quote marks perhaps suggest what class of bug reports sh=
ould go through the tiny funnel and what shouldn't. Unless you think everyt=
hing should go through the funnel in which case you are advocating for less=
 openness whilst simultaneously complaining it isn't "open source". Square =
that circle.
> >=20
> > Thanks
> > Michael
> >=20
> > --
> > Michael Folkson
> > Email: michaelfolkson at protonmail.com
> > GPG: A2CF5D71603C92010659818D2A75D601B23FEE0F
> >=20
> > Learn about Bitcoin: https://www.youtube.com/@portofbitcoin
> >=20
> > ------- Original Message -------
> > On Tuesday, May 16th, 2023 at 23:39, alicexbt alicexbt@protonmail.com w=
rote:
> >=20
> > > Hi Michael,
> > >=20
> > > A disagreement and some thoughts already shared in an email although =
its not clear to some "open source" devs:
> > >=20
> > > Impact of this vulnerability:
> > >=20
> > > - Denial of Service
> > > - Stale blocks affecting mining pool revenue
> > >=20
> > > Why it should have been reported privately to security@bitcoincore.or=
g, even if initially found affecting only debug build?
> > >=20
> > > Example: https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2021-31=
29
> > >=20
> > > CVE is a different process and I am aware of it. It would be good for=
 certain developers in the core team to reflect on their own approach to se=
curity, regardless of whether their work receives CVE recognition or not.
> > >=20
> > > /dev/fd0
> > > floppy disk guy
> > >=20
> > > Sent with Proton Mail secure email.
> > >=20
> > > ------- Original Message -------
> > > On Friday, May 12th, 2023 at 1:14 AM, Michael Folkson michaelfolkson@=
protonmail.com wrote:
> > >=20
> > > > Hi alicexbt
> > > >=20
> > > > The vulnerability reporting process requires communication and reso=
lution via a small group of individuals 0 rather than through open collabor=
ation between any contributors on the repo. There are clearly examples wher=
e the process is critically needed, the most obvious past example being the=
 2018 inflation bug 1. However, it doesn't scale for all bug reports and in=
vestigations to go through this tiny funnel. For an issue that isn't going =
to result in loss of onchain funds and doesn't seem to present a systemic i=
ssue (e.g. network DoS attack, inflation bug) I'm of the view that opening =
a public issue was appropriate in this case especially as the issue initial=
ly assumed it was only impacting nodes running in debug mode (not a mode a =
node in production is likely to be running in).
> > > >=20
> > > > An interesting question though and I'm certainly happy to be correc=
ted by those who have been investigating the issue. Some delicate trade-off=
s involved including understanding and resolving the issue faster through w=
ider collaboration versus keeping knowledge of the issue within a smaller g=
roup.
> > > >=20
> > > > Thanks
> > > > Michael
> > > >=20
> > > > --
> > > > Michael Folkson
> > > > Email: michaelfolkson at protonmail.com
> > > > GPG: A2CF5D71603C92010659818D2A75D601B23FEE0F
> > > >=20
> > > > Learn about Bitcoin: https://www.youtube.com/@portofbitcoin
> > > >=20
> > > > ------- Original Message -------
> > > > On Tuesday, May 9th, 2023 at 03:47, alicexbt via bitcoin-dev bitcoi=
n-dev@lists.linuxfoundation.org wrote:
> > > >=20
> > > > > Hi Bitcoin Developers,
> > > > >=20
> > > > > There is an open issue in bitcoin core repository which was creat=
ed last week: https://github.com/bitcoin/bitcoin/issues/27586
> > > > >=20
> > > > > I think this should have been reported privately as vulnerability=
 instead of creating a GitHub issue even if it worked only in debug mode. S=
ome users in the comments have also experienced similar issues without debu=
g build used for bitcoind. I have not noticed any decline in the number of =
listening nodes on bitnodes.io in last 24 hours so I am assuming this is no=
t an issue with majority of bitcoin core nodes. However, things could have =
been worse and there is nothing wrong in reporting something privately if t=
here is even 1% possibility of it being a vulnerability. I had recently rep=
orted something to LND security team based on a closed issue on GitHub whic=
h eventually was not considered a vulnerability: https://github.com/lightni=
ngnetwork/lnd/issues/7449
> > > > >=20
> > > > > In the CPU usage issue, maybe the users can run bitcoind with big=
ger mempool or try other things shared in the issue by everyone.
> > > > >=20
> > > > > This isn't the first time either when vulnerability was reported =
publicly: https://gist.github.com/chjj/4ff628f3a0d42823a90edf47340f0db9 and=
 this was even exploited on mainnet which affected some projects.
> > > > >=20
> > > > > This email is just a request to consider the impact of any vulner=
ability if gets exploited could affect lot of things. Even the projects wit=
h no financial activity involved follow better practices.
> > > > >=20
> > > > > /dev/fd0
> > > > > floppy disk guy
> > > > >=20
> > > > > Sent with Proton Mail secure email.