Published on: 2022-08-19T03:09:46+00:00
In November 2021, Prayank announced an exercise to test the review process in three Bitcoin projects: Bitcoin Core, LND, and Bisq. They created a salted hash for the username and planned to create pull requests over the next six months. If vulnerabilities were caught during the review process, they would publicly announce them, but if not, they would privately reveal them later. However, after nine months, there has been no public report on the exercise, leaving it unclear whether any vulnerabilities have been introduced.The email conversation emphasizes the importance of regularly testing and verifying the review process in open-source Bitcoin projects. One participant suggests using commit messages with specific requirements to test the process against attacks. Another participant proposes that developers should be forced to opt-in to practice rounds of testing, as they cannot opt-out of potential real-world attacks. The email concludes by emphasizing the importance of independent thought during the review process.ZmnSCPxj suggests improving the review process to prevent attacks and waste contributors' time. They propose a scheme involving commit messages with specific requirements and the option for developers to opt-out of the study. However, they note that developers cannot opt out of potential NSA attacks.A discussion thread raises concerns about potential attempts to introduce vulnerabilities into Bitcoin Core codebase. Some proposals suggest a "Red Team exercise" to test the system's resilience. Others argue for improving the review process instead. The proposed exercise would involve public precommitments collected at ceremonial intervals, with community approval granted for the inserted security flaws.The discussion revolves around creating a standardized process for introducing vulnerabilities in Bitcoin's codebase. Two schemes are proposed, including a sortition system. The ideal process involves one person initiating the attempt and randomly choosing a team of insiders to back up their claim. The process includes public precommitments and the use of block hashes as a random oracle.The post proposes a scheme to improve security in Bitcoin development using a sortition system. The scheme involves public precommitments collected at ceremonial intervals, with hash1 being a sortition ticket and hash2 being a public precommitment. The random oracle could be block hashes, and the red-team-concurrency difficulty parameter could control the selection process. The developer would have community approval to opportunistically insert a security flaw.The proposed exercise aims to improve the reputation factor and review attention for new pull requests. It suggests a secret sortition system to encourage more developers to participate without harming their reputation. The scheme includes public precommitments collected at ceremonial intervals and a red-team-concurrency difficulty parameter.The email exchange between Prayank and ZmnSCPxj discusses the importance of review processes in open-source Bitcoin projects. They agree on the necessity of reviews to catch vulnerabilities and caution against using unmerged PRs in production without careful review. Prayank proposes an exercise to test the review process by introducing vulnerability-adding PRs, while ZmnSCPxj emphasizes the need for private handling of any vulnerabilities found.The email discussion highlights the importance of review processes for ensuring security in Bitcoin development. The group agrees that relying on reviews is better for security and discusses the value of testing vulnerabilities in the review process. They propose a plan to create pseudonyms and introduce vulnerability-adding PRs to targets to test the review processes. The plan includes inserting random numbers among the commitments and publicly praising successful reviews.Prayank's proposal to conduct an exercise to study vulnerabilities in Bitcoin projects is met with caution. Ruben Somsen advises getting approval from contributors before proceeding to avoid causing mistrust and extra work for existing contributors. Prayank emphasizes reviewing pull requests based on code rather than author claims and asks whether trusting authors or having a good review process is better for security. They mention several Bitcoin projects they plan to test and note that x00 will assist them in the exercise.Prayank proposes an exercise to study vulnerabilities in Bitcoin projects and observe the responses of maintainers and reviewers. The exercise involves creating new GitHub accounts, studying issues in various Bitcoin projects, preparing pull requests to introduce vulnerabilities, and documenting the results. x00 will assist Prayank in this exercise, which has no fixed completion date.The email thread discusses introducing vulnerabilities in Bitcoin projects and observing how maintainers and reviewers respond. Ruben Somsen advises caution and suggests obtaining approval from contributors beforehand. ZmnSCPxj proposes a method using hash names and randomized salt as precommitments. They also highlight the potential impact on existing contributors and refer to a similar event in the Linux community.Prayank proposes an exercise to introduce vulnerabilities in Bitcoin projects and document the responses of maintainers and reviewers. They plan to create new GitHub accounts, study issues in various Bitcoin projects, and prepare pull requests to introduce vulnerabilities. They mention x00 as someone who will assist them in the exercise.In an email exchange, Prayank proposes an exercise to introduce vulnerabilities in various important Bitcoin projects and observe the responses of maintainers and reviewers.
Updated on: 2023-08-02T04:51:41.971421+00:00