Author: alicexbt 2023-05-22 12:56:13
Published on: 2023-05-22T12:56:13+00:00
In a recent email exchange on the Bitcoin-dev mailing list, Alice suggested that the vulnerability reporting process for Bitcoin Core should be less closed and more open. Michael responded by acknowledging that there may be room for improvement in the documentation and guidance surrounding the vulnerability reporting process. However, he also pointed out that not all bug reports and investigations can go through the same funnel. For an issue that doesn't result in loss of on-chain funds or present a systemic issue, opening a public issue is appropriate, as long as it's not impacting nodes running in production mode. Alice had previously highlighted an open issue in the Bitcoin Core repository (https://github.com/bitcoin/bitcoin/issues/27586) and suggested that it should have been reported privately as a vulnerability instead of creating a GitHub issue. She also shared links to previous examples where vulnerabilities were exploited, emphasizing the importance of considering the impact of any vulnerability that could affect a lot of things, even projects with no financial activity involved. The emails discussed the trade-offs between wider collaboration on resolving issues versus keeping knowledge of the issue within a smaller group, and the need for clear guidelines on what class of bug reports should go through the vulnerability reporting process. Michael's email also mentioned the 2018 inflation bug as an example of when the vulnerability reporting process was critically needed. The issue raised by Alice has since been assigned CVE-2023-33297.
Updated on: 2023-06-16T18:27:46.617500+00:00