From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 08 Jul 2024 18:16:24 -0700 Received: from mail-yb1-f186.google.com ([209.85.219.186]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1sQzSx-0005JI-Ho for bitcoindev@gnusha.org; Mon, 08 Jul 2024 18:16:23 -0700 Received: by mail-yb1-f186.google.com with SMTP id 3f1490d57ef6-e03a59172dbsf7991006276.3 for ; Mon, 08 Jul 2024 18:16:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1720487777; x=1721092577; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:sender:from :to:cc:subject:date:message-id:reply-to; bh=dYY9cOjf91g/n4diPr6vIWoa0jBm4uLqKFgiPcpt6Ng=; b=iwI6eEUjNA0Y4KcUnMFWqQA9pEosGbd4gbSLswal/uJgEezuOCAapsUWIyEuA8jw8o aJZZzfULpqqLKbboKyNqVPWvE6H1FHXTdGVHND6C1ri8ojqWsBOn3cpkphXAfnULk+rt KSkUoIXYkyMlRvglEAqLuGMWBAATnfT1Lr7x3o7NSw3ewl3AzwlBU14cabcVyL9ltCgs qtK8+nQIG++JNE2Nhyhpj7h+STm9/rn7Sbkof0hM2MKKqy3vR0LV7W3b5osuXULWE+X9 Y9BYsFDsNW/YUMUAWoQVlO5fPTTqg4CTxMIme37Sdw14qonX8hVi5i8+USVbynEKActC EyGg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1720487777; x=1721092577; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=dYY9cOjf91g/n4diPr6vIWoa0jBm4uLqKFgiPcpt6Ng=; b=kJIibSGPRpA/3ceIjwNCceDpBgCO7PVOxMKZf56DascDp0o704ixrYL567DDbXioeb S+zXW30EbT9ICCh6M4EMyFzrATF376FUZOaIiEe0xUp/zfANGtYWiq1j26E7mMzNFlp5 wDXuUNmtHu7+bpVjjdYGEZdtAKeSWen73Si2O72ifWN68igVe0tOSKSyINepy5xVt3G8 +jHR7nb0IHpqZfvjkrDCeYbuI9V7+Hi2UyY9jiXFwxcaig6Q6HKhsMRfBXSj4qGpu1Gx K1WhygxRbUxUDF9rB4luv8n1VlBhW9i14zphbEAnKed2cSWCHZRh/UXEnkZqlKRRdXQk co5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720487777; x=1721092577; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=dYY9cOjf91g/n4diPr6vIWoa0jBm4uLqKFgiPcpt6Ng=; b=QmcaAvokgB8DIfbkRPXIrLDehar5G8wRQIQpvCiFnFZR7VVLUnoSdkVNhvCzwmA79U xM3BHC8BRhnNstiy5QpTgjNP+BvodUMR1t+/BzWt88fu84Tf2pT3RdFMR9gFsIatQ+m8 Dk86emBFkqxtErVA5Ep5SbKb7jipbQviccVeOf3gx9LsNWSM/99v+cBBLEGmWYh3luMi LZjaHpnMwuFUz33W9NQ6AX7CGVSvYoH5KMQvQThMxc4kdqMYqE/wcKpVxbvbi489ZYCg RS9pAcdmg8naqBJ/btO62+axsfxwx1W1GOvrW+ivq771wvXfm6G+Ko392rlKpHnhY2Rd oSNw== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=1; AJvYcCV2KaY7eLh9ihzECFEclszFVZ8JOTDyOPSlSLhrt5aOkN1FuKwLvz556V//VewmloYRP/nvdGxsNjeXpZUqwmpKeWSFtos= X-Gm-Message-State: AOJu0YyEncSzwqYlEXaGA2CBBdZhvmKtYO9RYnVAk0XE86a+dUd0YHwJ CmlROUVFpUa3FPM2YfKv/qBOPPlVXbgv4IbBWXa0+azv/W1SeyOu X-Google-Smtp-Source: AGHT+IHUFDb2NbogU3c/Ag/uplqRuZOdZkxsge+SZGpUjeffcltj0x/fiIb4A9j1USaw8jL/+7AijA== X-Received: by 2002:a25:5885:0:b0:e02:ab25:44aa with SMTP id 3f1490d57ef6-e041b11d353mr1409835276.47.1720487777367; Mon, 08 Jul 2024 18:16:17 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com Received: by 2002:a05:6902:1896:b0:e02:c175:85f8 with SMTP id 3f1490d57ef6-e03bd03e946ls7410738276.1.-pod-prod-04-us; Mon, 08 Jul 2024 18:16:16 -0700 (PDT) X-Received: by 2002:a05:690c:7244:b0:62f:22cd:7082 with SMTP id 00721157ae682-658f01f530bmr282657b3.5.1720487776069; Mon, 08 Jul 2024 18:16:16 -0700 (PDT) Received: by 2002:a05:690c:3012:b0:64b:8595:7a39 with SMTP id 00721157ae682-65145091b38ms7b3; Thu, 4 Jul 2024 07:34:11 -0700 (PDT) X-Received: by 2002:a05:6902:72a:b0:e03:53a4:1a7 with SMTP id 3f1490d57ef6-e03c1bbe6f4mr131940276.10.1720103650007; Thu, 04 Jul 2024 07:34:10 -0700 (PDT) Date: Thu, 4 Jul 2024 07:34:09 -0700 (PDT) From: Antoine Riard To: Bitcoin Development Mailing List Message-Id: <46a677b3-3838-4a2d-b8d3-8c0e05e4139dn@googlegroups.com> In-Reply-To: References: Subject: [bitcoindev] Re: Bitcoin Core Security Disclosure Policy MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_302180_1785546436.1720103649782" X-Original-Sender: antoine.riard@gmail.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) ------=_Part_302180_1785546436.1720103649782 Content-Type: multipart/alternative; boundary="----=_Part_302181_212545565.1720103649782" ------=_Part_302181_212545565.1720103649782 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Eric, > Many other projects have been on the receiving end of this misperception,= =20 and it has in fact caused material harm to the community Without getting in unnecessarily re-opening old wounds, if you have=20 examples of what has caused material harm to the community, it can be=20 interesting to share. >From experience with second-layers, as soon as you start to have many=20 codebases affected by a vuln, it's another kind of dynamics so good to draw= =20 lessons. > I don't know what precipitated this change, but props to you all for=20 stepping up. About the timing, among many factors, the bitcoin whitepaper assignment=20 legal issue is hopefully less a concern now so some competent people have= =20 more time to handle that job of publicly disclosing security bugs. In=20 addition, the bitcoin open-source landscape has more resources (for the=20 best and worst) than 10 years ago. From sharing beers with Amir not so=20 lately, it wasn't that +10 years ago. I know he was kicked-off from the=20 original sec list, though I'm not sure the reasons are well-known. Best, Antoine Le jeudi 4 juillet 2024 =C3=A0 02:13:15 UTC+1, Eric Voskuil a =C3=A9crit : > > The project has historically done a poor job at publicly disclosing=20 > security-critical bugs, whether externally reported or found by=20 > contributors. This has led to a situation where a lot of users perceive= =20 > Bitcoin Core as never having bugs. This perception is dangerous and,=20 > unfortunately, not accurate. > > I have to say this is one of the most compelling statements I've seen fro= m=20 > the bitcoind/Bitcoin Core team in over 10 years. Many other projects have= =20 > been on the receiving end of this misperception, and it has in fact cause= d=20 > material harm to the community. I don't know what precipitated this chang= e,=20 > but props to you all for stepping up. > > Best, > Eric > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/= bitcoindev/46a677b3-3838-4a2d-b8d3-8c0e05e4139dn%40googlegroups.com. ------=_Part_302181_212545565.1720103649782 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Eric,

> Many other projects have been= on the receiving end of this misperception, and it has in fact caused mate= rial harm to the community

Without getting in un= necessarily re-opening old wounds, if you have examples of what has caused = material harm to the community, it can be interesting to share.
F= rom experience with second-layers, as soon as you start to have many codeba= ses affected by a vuln, it's another kind of dynamics so good to draw lesso= ns.

> I don't know what precipitated this change, = but props to you all for stepping up.

About the timing= , among many factors, the bitcoin whitepaper assignment legal issue is hope= fully less a concern now so some competent people have more time to handle = that job of publicly disclosing security bugs. In addition, the bitcoin ope= n-source landscape has more resources (for the best and worst) than 10 year= s ago. From sharing beers with Amir not so lately, it wasn't that +10 years= ago. I know he was kicked-off from the original sec list, though I'm not s= ure the reasons are well-known.

Best,
= Antoine

Le jeudi 4 juillet 2024 =C3=A0 02:13:15 UTC+1, Eric Vo= skuil a =C3=A9crit=C2=A0:
> The project has historically done a poor job at publicly = disclosing security-critical bugs, whether externally reported or found by = contributors. This has led to a situation where a lot of users perceive Bit= coin Core as never having bugs. This perception is dangerous and, unfortuna= tely, not accurate.

I have to say this is one of the most compelling= statements I've seen from the bitcoind/Bitcoin Core team in over 10 ye= ars. Many other projects have been on the receiving end of this mispercepti= on, and it has in fact caused material harm to the community. I don't k= now what precipitated this change, but props to you all for stepping up.
Best,
Eric

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg= id/bitcoindev/46a677b3-3838-4a2d-b8d3-8c0e05e4139dn%40googlegroups.com.=
------=_Part_302181_212545565.1720103649782-- ------=_Part_302180_1785546436.1720103649782--