From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 76375504 for ; Tue, 21 Mar 2017 02:47:36 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pg0-f43.google.com (mail-pg0-f43.google.com [74.125.83.43]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 94CD1180 for ; Tue, 21 Mar 2017 02:47:35 +0000 (UTC) Received: by mail-pg0-f43.google.com with SMTP id g2so86235232pge.3 for ; Mon, 20 Mar 2017 19:47:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bitcartel-com.20150623.gappssmtp.com; s=20150623; h=from:subject:to:message-id:date:user-agent:mime-version :content-transfer-encoding; bh=pH7Srn3DsN84LYaOQw1wiH4LsaQ8myKcnc7CgQym9iA=; b=T6cRSiAX+GoLT6CemSYww18NnF8Mw3KiF9JvIBYTJrxGhp7Kj0+BAn/nEwyZC6rLQA RfI/ki18/CsPhWpUK0yKpFx8Z2ABr0B9KrBFmltxpTg6IWDLlWL0dOJAjmJW1ZlwcwdI bgioH8cHSiZb53i6Qp+jt4yn7WLYzKvjKtG0l6dsYuOQEUw0BB1LBYqJ+d84Zf3hmXR8 jBNfG1BzngZUMLz2rXvtcmlGO2LEZASKoWHI8WaqDyOl8kGCdJ6nugKHWjUYWxXKIcy3 9FnVuaXVF5e/Z8LYiYyaW84GCdIIbUGsSLPuyGO1dRD3nkHGb3yWn+J+gO9oNzy48biC c/NQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:message-id:date:user-agent :mime-version:content-transfer-encoding; bh=pH7Srn3DsN84LYaOQw1wiH4LsaQ8myKcnc7CgQym9iA=; b=rz9UyE8KAYg5QoO+p9R3MAi/wB4vane/ixfTjjpVIP7XgQ+L2gd/v6XqwFVE9YfLkh IGNDR8Z65VGZItiIWqS0+zLPLrLJUuPPKhZaprfIqgWEmCgUh6kEY80N5m+TYu9qUG1l suCfZwrLVcXv6mtqHyVPc0FeLrcXi5PqABj0SU8M4WGnKphL1KSZRR2o6cci9lCSAJ9B if/KU4dmqOChlEfDokcJmBDeHrbYccOSfCPDZC3osIuzaWcVx3DBvivy11BFOpVvdPs7 wKqGAjupD9AbjwKw7lnKgJKsm7b+eYsW0Hp/8siP11tCjGWdQSgp9Wd5DM90rVEzu4QL UZbQ== X-Gm-Message-State: AFeK/H2fBdYgyhz/uXYiKwFzGx7SvGbmUdESVglY0zK1XCwI94m6myzQplNWaVhRs/9TRQ== X-Received: by 10.98.82.216 with SMTP id g207mr36760385pfb.139.1490064454869; Mon, 20 Mar 2017 19:47:34 -0700 (PDT) Received: from [192.168.1.133] (c-73-241-250-8.hsd1.ca.comcast.net. [73.241.250.8]) by smtp.googlemail.com with ESMTPSA id b10sm1785720pga.39.2017.03.20.19.47.32 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 20 Mar 2017 19:47:32 -0700 (PDT) From: Simon Liu To: Bitcoin Dev Message-ID: Date: Mon, 20 Mar 2017 19:47:31 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [bitcoin-dev] Bitcoin and CVEs X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Mar 2017 02:47:36 -0000 Hi, Are there are any vulnerabilities in Bitcoin which have been fixed but not yet publicly disclosed? Is the following list of Bitcoin CVEs up-to-date? https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures There have been no new CVEs posted for almost three years, except for CVE-2015-3641, but there appears to be no information publicly available for that issue: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3641 It would be of great benefit to end users if the community of clients and altcoins derived from Bitcoin Core could be patched for any known vulnerabilities. Does anyone keep track of security related bugs and patches, where the defect severity is similar to those found on the CVE list above? If yes, can that list be shared with other developers? If some fixes have been committed with discreet log messages, it will be difficult for third parties to identify and assess the importance of any critical patches. Do any important ones come to mind? Finally, curious to know, what has changed since 2014 that has resulted in the defect rate, at least based on the list of publicly reported CVEs, to fall to zero? A change to the development process? Introduction of a bug bounty? Best Regards, Simon