Published on: 2023-05-23T16:45:58+00:00
A vulnerability in the Bitcoin Core repository has sparked a debate about the reporting process for vulnerabilities. While some argue that issues not resulting in loss of funds or presenting systemic issues should be publicly collaborated on, others believe that reporting privately is necessary for better practices and to avoid exploitation. The current process involves communication and resolution through a small group of individuals rather than open collaboration between contributors. It is acknowledged that this approach is critically needed for certain issues, such as the 2018 inflation bug. However, it is also recognized that not all bug reports can go through this funnel, and that better documentation and guidance on the reporting process would be beneficial.The email exchange on the Bitcoin-dev mailing list discusses these concerns. One user suggests that the reporting process should be less closed and more open, while another acknowledges room for improvement in the documentation and guidance surrounding the process. They also highlight the trade-offs between wider collaboration and keeping knowledge of the issue within a smaller group. Previous examples of vulnerabilities being exploited on mainnet are referenced, emphasizing the importance of considering the impact of any vulnerability. The issue raised by one user has since been assigned a CVE ID.In response, a developer argues against pushing everything into closed, private channels and points out that the reporting process cannot scale for all bug reports. They agree that opening a public issue was appropriate in this case, as it initially only affected nodes running in debug mode. The developer suggests that instead of complaining, users should suggest what class of bug reports should go through the reporting process and what shouldn't. They stress the delicate trade-offs involved, including understanding and resolving issues faster through wider collaboration versus keeping knowledge restricted. The importance of considering the potential impact of vulnerabilities is reiterated.The email thread also includes discussions about the impact of the vulnerability, with concerns raised about denial of service and stale blocks affecting mining pool revenue. Some users have experienced similar issues without using the debug build for bitcoind, but there has been no decline in the number of listening nodes on bitnodes.io. The thread provides links to examples where the reporting process was critically needed and highlights the security practices followed by Bitcoin developers.Overall, the debate centers around the reporting process for vulnerabilities in Bitcoin Core, with arguments for both public collaboration and private reporting. The importance of considering the impact of vulnerabilities is emphasized, along with the need for better documentation and guidance on the reporting process. The trade-offs between wider collaboration and restricted knowledge are acknowledged, and previous examples of exploited vulnerabilities are referenced.
Updated on: 2023-08-02T09:26:12.973597+00:00