📅 Original date posted:2017-09-12
📝 Original message:On Tue, Sep 12, 2017 at 4:49 AM, Sergio Demian Lerner via bitcoin-dev
<bitcoin-dev at lists.linuxfoundation.org> wrote:
> It also implies that some times a researcher works hard to investigate a
> vulnerability and later he finds out it was previously reported. It also
> means that the researcher cannot report to alt-coins which have a different
> policy.
I agree with your post, but wanted to make a point of clarification on
the use of "can't".
If someone wants to report something to the Bitcoin project we're
obviously at your mercy in how we handle it. If we disagree on the
handling approach we may try to talk you into a different position
based with a rational judgement based on our experience (or, if
justified, advice that we're likely to whine about your approach in
public). But if you still want to go also report a common issue to
something else with a different approach then you can. Even our
ire/whining can be avoided by a sincere effort to communicate and give
us an opportunity to mitigate harm.
That said, as mentioned, we'd encourage otherwise for issues that
warrant it-- and I think with cause enough that the reporter will
agree. So that is a different kind of "cant". :)
In Bitcoin the overwhelming majority of serious issues we've
encountered have been found by people I'd consider 'inside the
project' (frequent regular contributors who aren't seriously involved
in other things). That hasn't been so obviously the case for other
open source projects that I've been involved with; but Bitcoin is
pretty good from a basic security perspective and finding additional
issues often requires specialized experience that few people outside
of the project regulars have (though some, like Sergio, clearly do).
I know through direct experience that both Mozilla and the Chrome
project fix _serious_ (like RCE bugs) issues based on internal
discoveries which they do not make public (apparently ever), though
they may coordinate with distributors on some of them. (Some of
these experiences are also why I give the advice that you should not
consider any computer which has ever run a web browser to be strongly
secure...)
Gregory Maxwell [ARCHIVE] /
npub1f2…crwet
2023-06-07 18:05:56
in reply to nevent1q…2d8g
Author Public Key
npub1f2nvlx49er5c7sqa43src6ssyp6snd4qwvtkwm5avc2l84cs84esecrwetPublished at
2023-06-07 18:05:56Event JSON
{
"id": "74db420ba4eb68a2bec97abf24b661192aa445a99cdb89e6e1ff3386df1f9e20",
"pubkey": "4aa6cf9aa5c8e98f401dac603c6a10207509b6a07317676e9d6615f3d7103d73",
"created_at": 1686161156,
"kind": 1,
"tags": [
[
"e",
"b4afe13d9a49e72cfb4be5de80ba8f98e37e048ca18d5270a9c446c7b3e9e69b",
"",
"root"
],
[
"e",
"1d7e4545ed94c7ef009f21e749860c2b581c39d096629b8b632da6e3ff350bcc",
"",
"reply"
],
[
"p",
"4b38603408f5be002091210e869a4ca86fc2aa1ffd0871036a0668068ee626ee"
]
],
"content": "📅 Original date posted:2017-09-12\n📝 Original message:On Tue, Sep 12, 2017 at 4:49 AM, Sergio Demian Lerner via bitcoin-dev\n\u003cbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\u003e It also implies that some times a researcher works hard to investigate a\n\u003e vulnerability and later he finds out it was previously reported. It also\n\u003e means that the researcher cannot report to alt-coins which have a different\n\u003e policy.\n\nI agree with your post, but wanted to make a point of clarification on\nthe use of \"can't\".\n\nIf someone wants to report something to the Bitcoin project we're\nobviously at your mercy in how we handle it. If we disagree on the\nhandling approach we may try to talk you into a different position\nbased with a rational judgement based on our experience (or, if\njustified, advice that we're likely to whine about your approach in\npublic). But if you still want to go also report a common issue to\nsomething else with a different approach then you can. Even our\nire/whining can be avoided by a sincere effort to communicate and give\nus an opportunity to mitigate harm.\n\nThat said, as mentioned, we'd encourage otherwise for issues that\nwarrant it-- and I think with cause enough that the reporter will\nagree. So that is a different kind of \"cant\". :)\n\nIn Bitcoin the overwhelming majority of serious issues we've\nencountered have been found by people I'd consider 'inside the\nproject' (frequent regular contributors who aren't seriously involved\nin other things). That hasn't been so obviously the case for other\nopen source projects that I've been involved with; but Bitcoin is\npretty good from a basic security perspective and finding additional\nissues often requires specialized experience that few people outside\nof the project regulars have (though some, like Sergio, clearly do).\n\nI know through direct experience that both Mozilla and the Chrome\nproject fix _serious_ (like RCE bugs) issues based on internal\ndiscoveries which they do not make public (apparently ever), though\nthey may coordinate with distributors on some of them. (Some of\nthese experiences are also why I give the advice that you should not\nconsider any computer which has ever run a web browser to be strongly\nsecure...)",
"sig": "f7accdc6a79095d26e1ee1d4d7f809b7657d0541b560601655e5e5ea75da43c2b6f179f46bbd8486e60587b731633536d28ddbd9dc3df51273b881bf63a9e544"
}