Author: Michael Folkson 2023-05-11 19:44:18
Published on: 2023-05-11T19:44:18+00:00
A recent issue in the Bitcoin Core repository (https://github.com/bitcoin/bitcoin/issues/27586) has sparked a debate about the vulnerability reporting process. Some argue that issues that are not going to result in loss of onchain funds and don't present a systemic issue should be open for public collaboration. However, the current process requires communication and resolution via a small group of individuals rather than through open collaboration between any contributors on the repo. This funnel approach is critically needed for issues like the 2018 inflation bug. Whether to keep knowledge of an issue within a smaller group or collaborate more widely remains a delicate trade-off.The debate was sparked by a request made by floppy disk guy to consider the impact of any vulnerability that gets exploited and could affect many things. The email also discussed how some users had experienced similar issues without debug build used for bitcoind, but no decline in the number of listening nodes on bitnodes.io had been noticed in the last 24 hours. In light of this, the email requested that vulnerabilities be reported privately as a security measure even if there is only a 1% possibility of it being a vulnerability. Finally, the email cited previous examples where vulnerabilities were reported publicly, such as the one in https://gist.github.com/chjj/4ff628f3a0d42823a90edf47340f0db9, which was exploited on mainnet and affected some projects.
Updated on: 2023-06-16T18:26:40.166112+00:00