On Tue, Sep 12, 2017 at 4:49 AM, Sergio Demian Lerner via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote: > It also implies that some times a researcher works hard to investigate a > vulnerability and later he finds out it was previously reported. It also > means that the researcher cannot report to alt-coins which have a different > policy.
I agree with your post, but wanted to make a point of clarification on the use of "can't". If someone wants to report something to the Bitcoin project we're obviously at your mercy in how we handle it. If we disagree on the handling approach we may try to talk you into a different position based with a rational judgement based on our experience (or, if justified, advice that we're likely to whine about your approach in public). But if you still want to go also report a common issue to something else with a different approach then you can. Even our ire/whining can be avoided by a sincere effort to communicate and give us an opportunity to mitigate harm. That said, as mentioned, we'd encourage otherwise for issues that warrant it-- and I think with cause enough that the reporter will agree. So that is a different kind of "cant". :) In Bitcoin the overwhelming majority of serious issues we've encountered have been found by people I'd consider 'inside the project' (frequent regular contributors who aren't seriously involved in other things). That hasn't been so obviously the case for other open source projects that I've been involved with; but Bitcoin is pretty good from a basic security perspective and finding additional issues often requires specialized experience that few people outside of the project regulars have (though some, like Sergio, clearly do). I know through direct experience that both Mozilla and the Chrome project fix _serious_ (like RCE bugs) issues based on internal discoveries which they do not make public (apparently ever), though they may coordinate with distributors on some of them. (Some of these experiences are also why I give the advice that you should not consider any computer which has ever run a web browser to be strongly secure...) _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
