.

There's a huge difference between a general fact "their security practice is poor" and a statement like "some user stole $50 it might be yours". One can be widely reported, one generally will not.

There's somewhat of a difference with this case, in that he was explaining things a lot of us knew about already. Due to the way this particular event played out all of those private keys are compromised and that's the end of it. There's no further exploitation to be done, no further thefts, no further damage. If nothing else he raised awareness for RFC6979 signatures which mitigate this particular problem entirely.

In general there's little value to doing full disclosure. It's a net loss for the reporter (no bounty payout), for the users (they could be negatively affected) and for the company (that has to deal with the fall out). However, in some cases it's necessary to act in that way in order to get things fixed. If a company is being obtuse, lying, or otherwise not fulfilling their obligations to their customer then there's really no choice.

Not everybody reads this little pit on the side of the internet. Not everybody speaks English. Unless it's a very high profile event "saving" someones money will just be theft with no positive identification. Especially in the cases here, the private key was exposed so it could never be proved who owned it in the first place.



Lay off playing the concerned. There's a balance that needs to be struck no matter how you look at it. If people don't voice concern about the security practice of a company, there's an assumption that everything is just fine. I've given no information that could aid anybody in finding vulnerabilities in their code.

There's no method of doing that in Bitcoin.


There's existing incentive of being able to steal millions of dollars worth of Bitcoin. Do you really think some terse comments confirming that there are issues will make even the slightest difference? It's very much public knowledge that there's huge problems with their management of security, else this thread wouldn't be 20 pages long and I wouldn't be posting here.

You can't justify stealing a car because "it was going to be stolen anyway".


If you had $30M USD in your pocket and $400,000 a month in revenue resting entirely on your security, no doubt you'd be making that your first priority.

Full disclosure gets the job done but it doesn't pay my bills.

Responsible disclosure pays my bills, if it's anybody other than blockchain.info.

That would be gray hat. I am white hat.

I had the opportunity to take all of the money johoe did significantly before he even realized it was an issue. It wasn't my place to go saving anybodies coins, it was if anybodies it was blockchain.info's. I don't know the legality of what joehoe did, as far as I could justify in my head at the time even though it was a "good" act, it would still be breaking my countries law. During the event I asked blockchain.info for permission to sweep the money and return it to the company, but they didn't respond in time.


Responsibly reporting even ridiculously critical bugs isn't financially sensible for me with this company.



You would do well to look at potential for disaster. Blockchain.info likely holds high double digit percentages of all Bitcoin in existence. It's possible they own some of the most valuable servers in the world as unlike an exchange they can't use a cold/hot storage system. It's all hot, all internet connected, all the time.

No. Their response to responsible disclosure is deeply belittling.






• You have to nag them to even pay out. Some of the reports I have made could have been leveraged to steal millions of dollars worth of Bitcoin directly from their users, such as a plaintext websocket fallback in the wallet communication, SSL not being enforced at all, HSTS not being enforced, and a logical bypass for their Tor exit node blocking which amplified MITM attacks. The bounty for these bugs was lumped together at 1.9 BTC total, which I found to be astonishing low given their profile and the probable impact.

• Their security "team" does not know how to use GPG properly, when reporting an insanely critical bug that could still result in the thefts of Bitcoin they responded to a GPG encrypted email in plaintext acknowledging and quoting the security sensitive information.

• High risk bugs that affect the integrity of their service are told to be in scope, partially fixed, encouragement given and then all further reports are ignored for weeks. As it currently stands, the statement that if you use their browser extension or application you are safe from remote attack is completely false.

It is for these reasons I will not be attempting to responsibly disclose bugs to blockchain.info in the future, and I do not suggest other researchers attempt it either.

Not only johoe actually.

I'm the security researched who "caused" all of this by reporting a related bug to blockchain.info, which is why they were touching this critical code in the first place. The broken changes (there were multiple, only one is public knowledge) was pushed into production at midnight on Sunday in the UK. I caught the change and was able to get an emergency message to them in order to get them to pull the plug. Had I not had a script watching for changes like this on their site (previous experience has shown they love pushing broken code and then hiding it in git), it might have been a full 8 hours of sleep later that they could have taken down the website. Unsung hero and all that, but people would have lost a lot more money had it not been for that.

Their RNG was broken at least 4 times before this incident as well, it just didn't get any publicity.

So don't go go patting them on the back for their upstanding security, there's still piles of broken shit I've responsibly reported they haven't patched yet.