[bitcoin-dev] Responsible disclosure of bugs
Gregory Maxwell
greg at xiph.org
Tue Sep 12 17:57:32 UTC 2017
On Tue, Sep 12, 2017 at 4:49 AM, Sergio Demian Lerner via bitcoin-dev
<bitcoin-dev at lists.linuxfoundation.org> wrote:
> It also implies that some times a researcher works hard to investigate a
> vulnerability and later he finds out it was previously reported. It also
> means that the researcher cannot report to alt-coins which have a different
> policy.
I agree with your post, but wanted to make a point of clarification on
the use of "can't".
If someone wants to report something to the Bitcoin project we're
obviously at your mercy in how we handle it. If we disagree on the
handling approach we may try to talk you into a different position
based with a rational judgement based on our experience (or, if
justified, advice that we're likely to whine about your approach in
public). But if you still want to go also report a common issue to
something else with a different approach then you can. Even our
ire/whining can be avoided by a sincere effort to communicate and give
us an opportunity to mitigate harm.
That said, as mentioned, we'd encourage otherwise for issues that
warrant it-- and I think with cause enough that the reporter will
agree. So that is a different kind of "cant". :)
In Bitcoin the overwhelming majority of serious issues we've
encountered have been found by people I'd consider 'inside the
project' (frequent regular contributors who aren't seriously involved
in other things). That hasn't been so obviously the case for other
open source projects that I've been involved with; but Bitcoin is
pretty good from a basic security perspective and finding additional
issues often requires specialized experience that few people outside
of the project regulars have (though some, like Sergio, clearly do).
I know through direct experience that both Mozilla and the Chrome
project fix _serious_ (like RCE bugs) issues based on internal
discoveries which they do not make public (apparently ever), though
they may coordinate with distributors on some of them. (Some of
these experiences are also why I give the advice that you should not
consider any computer which has ever run a web browser to be strongly
secure...)
More information about the bitcoin-dev
mailing list