public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Matt Corallo <lf-lists@mattcorallo.com>
To: Simon Liu <simon@bitcartel.com>,
	Bitcoin Protocol Discussion
	<bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Responsible disclosure of bugs
Date: Sun, 10 Sep 2017 19:02:36 -0400	[thread overview]
Message-ID: <cb968a34-f8d2-ab61-dd15-9bd282afd18c@mattcorallo.com> (raw)
In-Reply-To: <3e4541f3-f65c-5199-5e85-9a65ea5142e7@bitcartel.com>

I believe there continues to be concern over a number of altcoins which
are running old, unpatched forks of Bitcoin Core, making it rather
difficult to disclose issues without putting people at risk (see, eg,
some of the dos issues which are preventing release of the alert key).
I'd encourage the list to have a discussion about what reasonable
approaches could be taken there.

On 09/10/17 18:03, Simon Liu via bitcoin-dev wrote:
> Hi,
> 
> Given today's presentation by Chris Jeffrey at the Breaking Bitcoin
> conference, and the subsequent discussion around responsible disclosure
> and industry practice, perhaps now would be a good time to discuss
> "Bitcoin and CVEs" which has gone unanswered for 6 months.
> 
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-March/013751.html
> 
> To quote:
> 
> "Are there are any vulnerabilities in Bitcoin which have been fixed but
> not yet publicly disclosed?  Is the following list of Bitcoin CVEs
> up-to-date?
> 
> https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures
> 
> There have been no new CVEs posted for almost three years, except for
> CVE-2015-3641, but there appears to be no information publicly available
> for that issue:
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3641
> 
> It would be of great benefit to end users if the community of clients
> and altcoins derived from Bitcoin Core could be patched for any known
> vulnerabilities.
> 
> Does anyone keep track of security related bugs and patches, where the
> defect severity is similar to those found on the CVE list above?  If
> yes, can that list be shared with other developers?"
> 
> Best Regards,
> Simon
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> 


  reply	other threads:[~2017-09-10 23:09 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-09-10 22:03 [bitcoin-dev] Responsible disclosure of bugs Simon Liu
2017-09-10 23:02 ` Matt Corallo [this message]
2017-09-10 23:28   ` CryptAxe
2017-09-11  2:15   ` Anthony Towns
2017-09-11 11:34     ` Alex Morcos
2017-09-11 17:43       ` Daniel Stadulis
2017-09-11 18:29         ` Gregory Maxwell
2017-09-12  4:47         ` Anthony Towns
2017-09-12  3:37       ` Anthony Towns
2017-09-12  4:49         ` Sergio Demian Lerner
2017-09-12 16:10           ` Simon Liu
2017-09-14  5:27             ` Anthony Towns
2017-09-22  2:00               ` Nathan Wilcox
2017-09-22 19:53                 ` Sergio Demian Lerner
2017-09-12 17:57           ` Gregory Maxwell
2017-09-12  5:18         ` Bryan Bishop
2017-09-12 17:41         ` Gregory Maxwell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=cb968a34-f8d2-ab61-dd15-9bd282afd18c@mattcorallo.com \
    --to=lf-lists@mattcorallo.com \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    --cc=simon@bitcartel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox