Author: Michael Folkson 2023-05-17 12:44:41
Published on: 2023-05-17T12:44:41+00:00
Michael Folkson, a developer, responded to alicexbt's email regarding the vulnerability reporting process. He argued that pushing everything into closed, private channels of communication and select groups of individuals is not what "open source" stands for. Although there are examples where the process is critically needed, it doesn't scale for all bug reports and investigations to go through this tiny funnel. For an issue that isn't going to result in loss of onchain funds and doesn't seem to present a systemic issue, opening a public issue was appropriate in this case especially as the issue initially assumed it was only impacting nodes running in debug mode. Alicexbt had previously sent an email to Bitcoin Developers, stating that a vulnerability issue in the Bitcoin core repository should have been reported privately to security at bitcoincore.org instead of creating a GitHub issue, even if it worked only in debug mode. However, Michael suggested that rather than merely complaining and putting "open source" into quote marks, Alicexbt should suggest what class of bug reports should go through the tiny funnel and what shouldn't. He also pointed out that there are delicate trade-offs involved, including understanding and resolving the issue faster through wider collaboration versus keeping knowledge of the issue within a smaller group. Michael also mentioned that better documentation and guidance on what should go through the vulnerability reporting process and what shouldn't could be beneficial. Alicexbt had referred to an exploit on mainnet which affected some projects due to a vulnerability being reported publicly. Michael stressed the importance of considering the impact of any vulnerability that gets exploited and how it could affect many things. In conclusion, Michael emphasized that although there are cases where the process of reporting vulnerabilities is critically needed, it cannot scale for all bug reports and investigations to go through a tiny funnel. Better documentation and guidance on vulnerability reporting can be beneficial, and it is important to consider the potential impact of any vulnerability that gets exploited.
Updated on: 2023-06-16T18:27:30.601966+00:00