Author: Gregory Maxwell 2017-09-11 18:29:46
Published on: 2017-09-11T18:29:46+00:00
In a recent thread on bitcoin-dev, Daniel Stadulis suggested treating different bug severity levels with different response plans. He outlined three levels of compromise: compromising UTXO custody, compromising UTXO state, and compromising node performance. However, as Gregory Maxwell pointed out, it's not always clear cut how severe a bug is, and what may seem like a minor issue could turn out to be much more serious. In fact, someone pointed out a major amplifier of the utxo-memory attack that Bitcoin Core narrowly dodges which would have made it very easy to exploit against some users, and which no one had previously considered. While different things should be handled differently, it's prudent to treat things as more severe than you know them to be. Finally, Maxwell notes that the thread is not actually about disclosure, but rather publication, which has different implications.
Updated on: 2023-05-20T03:50:15.729834+00:00