Bitcoin Forum
December 10, 2016, 10:52:53 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 [3]  All
  Print  
Author Topic: Bug Policy --- Admins need to enforce this  (Read 2800 times)
Mistafreeze
Sr. Member
****
Offline Offline

Activity: 291


View Profile
August 03, 2011, 03:58:08 PM
 #41

No, I'm calling you an asshole because you've made an asshole move.

"If it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck."
are you an asshole too then?
non-asshole are not insulting people.

What are you, 12?

You don't publicly reveal the inner workings of a bug you find without privately letting the developers know first. All this does is give those that have no morals the chance to exploit it. Is this really that hard to grasp?

You made an asshole move. Learn and move on.

Beerfund NXT-L4WV-ZF8P-8X54-D6XML
1481367173
Hero Member
*
Offline Offline

Posts: 1481367173

View Profile Personal Message (Offline)

Ignore
1481367173
Reply with quote  #2

1481367173
Report to moderator
1481367173
Hero Member
*
Offline Offline

Posts: 1481367173

View Profile Personal Message (Offline)

Ignore
1481367173
Reply with quote  #2

1481367173
Report to moderator
1481367173
Hero Member
*
Offline Offline

Posts: 1481367173

View Profile Personal Message (Offline)

Ignore
1481367173
Reply with quote  #2

1481367173
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
kokjo
Legendary
*
Offline Offline

Activity: 1050

You are WRONG!


View Profile
August 03, 2011, 04:01:03 PM
 #42

No, I'm calling you an asshole because you've made an asshole move.

"If it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck."
are you an asshole too then?
non-asshole are not insulting people.

What are you, 12?

You don't publicly reveal the inner workings of a bug you find without privately letting the developers know first. All this does is give those that have no morals the chance to exploit it. Is this really that hard to grasp?

You made an asshole move. Learn and move on.
no its not hard to grasp.

i could ask you the same question, is it really that hard to grasp that, i do what i do?

"The whole problem with the world is that fools and fanatics are always so certain of themselves and wiser people so full of doubts." -Bertrand Russell
makomk
Hero Member
*****
Offline Offline

Activity: 686


View Profile
August 03, 2011, 04:16:58 PM
 #43

"Hey, I just told everyone in town you left your door unlocked instead of just telling you so you could lock it. But I did the right thing, you should be glad I didn't break into your house and steal your stuff."
Except it's generally more like some warehouse that everyone in town trusts to store their valuables that's leaving its door unlocked on a regular basis, and other warehouses have a history of not actually bothering to lock their door when this is pointed out and in some cases even threatening the person who'd noticed it in order to make sure their customers don't find out about it, and there's a good chance that someone will break in and steal everyone's stuff unless they move it out of there.

(For a non-hypothetical example: Mt Gox had a couple of really nasty SQL injection vulnerabilities that were privately notified to them and that they dragged their heels on fixing. Those were discovered by someone else and used to break into the website, resulting in the price crash and password DB leak. The fact they weren't publicly disclosed allowed Mt Gox to lie and falsely pretend they never existed for weeks afterwards.)

Edit: Also, that's another problem. Private disclosure of website vulnerabilities allows the company to lie and pretend the vulnerability never existed because there's no way of proving it after it's been closed, so even if the reporter tries to disclose it publicly at that point they won't be believed. This causes users to get a false sense of security about the website; even if one vulnerability gets fixed it increases the odds there are other unfixed ones.

Quad XC6SLX150 Board: 860 MHash/s or so.
SIGS ABOUT BUTTERFLY LABS ARE PAID ADS
BTCrow
Sr. Member
****
Offline Offline

Activity: 243


BTCrow.com


View Profile WWW
August 03, 2011, 04:24:46 PM
 #44

"Hey, I just told everyone in town you left your door unlocked instead of just telling you so you could lock it. But I did the right thing, you should be glad I didn't break into your house and steal your stuff."
Except it's generally more like some warehouse that everyone in town trusts to store their valuables that's leaving its door unlocked on a regular basis, and other warehouses have a history of not actually bothering to lock their door when this is pointed out and in some cases even threatening the person who'd noticed it in order to make sure their customers don't find out about it, and there's a good chance that someone will break in and steal everyone's stuff unless they move it out of there.

(For a non-hypothetical example: Mt Gox had a couple of really nasty SQL injection vulnerabilities that were privately notified to them and that they dragged their heels on fixing. Those were discovered by someone else and used to break into the website, resulting in the price crash and password DB leak. The fact they weren't publicly disclosed allowed Mt Gox to lie and falsely pretend they never existed for weeks afterwards.)

If what you are saying is true, public disclosure in this case will give even worse results than the crash that occurs. It will give more people (in this disclosure case, script-kiddies) the ability to exploit mtgox.

Mistafreeze
Sr. Member
****
Offline Offline

Activity: 291


View Profile
August 03, 2011, 04:34:59 PM
 #45

"Hey, I just told everyone in town you left your door unlocked instead of just telling you so you could lock it. But I did the right thing, you should be glad I didn't break into your house and steal your stuff."
Except it's generally more like some warehouse that everyone in town trusts to store their valuables that's leaving its door unlocked on a regular basis, and other warehouses have a history of not actually bothering to lock their door when this is pointed out and in some cases even threatening the person who'd noticed it in order to make sure their customers don't find out about it, and there's a good chance that someone will break in and steal everyone's stuff unless they move it out of there.

It's only comparable to that if you take out a full page add in the newspaper to inform the owner that the door hasn't been locked.

Beerfund NXT-L4WV-ZF8P-8X54-D6XML
BTCrow
Sr. Member
****
Offline Offline

Activity: 243


BTCrow.com


View Profile WWW
August 03, 2011, 04:47:23 PM
 #46

"Hey, I just told everyone in town you left your door unlocked instead of just telling you so you could lock it. But I did the right thing, you should be glad I didn't break into your house and steal your stuff."
Except it's generally more like some warehouse that everyone in town trusts to store their valuables that's leaving its door unlocked on a regular basis, and other warehouses have a history of not actually bothering to lock their door when this is pointed out and in some cases even threatening the person who'd noticed it in order to make sure their customers don't find out about it, and there's a good chance that someone will break in and steal everyone's stuff unless they move it out of there.

(For a non-hypothetical example: Mt Gox had a couple of really nasty SQL injection vulnerabilities that were privately notified to them and that they dragged their heels on fixing. Those were discovered by someone else and used to break into the website, resulting in the price crash and password DB leak. The fact they weren't publicly disclosed allowed Mt Gox to lie and falsely pretend they never existed for weeks afterwards.)

If what you are saying is true, public disclosure in this case will give even worse results than the crash that occurs. It will give more people (in this disclosure case, script-kiddies) the ability to exploit mtgox.

Just want to enforce this point:

http://nvd.nist.gov/cvss.cfm?calculator&version=2

This is the calculator from NVD to calculate the severity scores of any potential or current vulnerability, this is how vendor and security professional can price vulnerability and calculate the security risk for most of the time.

Check the "Temporal Score Metrics" and put availability to high, fix to unavailable and verification to confirmed. You'll see it will put the security risk at a very high level compared to do ethical full-disclosure with right steps.

Xephan
Jr. Member
*
Offline Offline

Activity: 42


View Profile
August 03, 2011, 05:44:41 PM
 #47

(For a non-hypothetical example: Mt Gox had a couple of really nasty SQL injection vulnerabilities that were privately notified to them and that they dragged their heels on fixing. Those were discovered by someone else and used to break into the website, resulting in the price crash and password DB leak. The fact they weren't publicly disclosed allowed Mt Gox to lie and falsely pretend they never existed for weeks afterwards.)

Edit: Also, that's another problem. Private disclosure of website vulnerabilities allows the company to lie and pretend the vulnerability never existed because there's no way of proving it after it's been closed, so even if the reporter tries to disclose it publicly at that point they won't be believed. This causes users to get a false sense of security about the website; even if one vulnerability gets fixed it increases the odds there are other unfixed ones.

That's why discoverers usually only give the developers a week or two to do something before going public unless there are good reasons not to. It's not really possible to try to fool the discoverers who would usually be very competent technically about how long it's going to take to fix something. If the company isn't interested or proactive, nobody's going to blame the discoverer for being irresponsible.

A simple way for the discoverer to verify that they did give the developers warning is simply to send the initial warning without details via email CC to a few others. A simple "I've discovered what appears to be a flaw in your system. Please reply to all within 48 hours for details or I will publicly release the details of the exploit" would do. The CC'd people only need to know you're providing a warning and if the devs did bother to get back, and they can't fix it and claim it didn't exist.

If you can't trust anybody, routing it to yourself using a new account at a public webmail service like gmail or yahoo would also do in a pinch.

Or do what Wikileaks did and put an aes256 encrypted file with the details in public domain first Cheesy

186q9YUW3x8TVHC5aYBEqgZZYMxft8Cw9f
nhodges
Sr. Member
****
Offline Offline

Activity: 308


View Profile
August 03, 2011, 09:12:32 PM
 #48

that is YOUR opinion.

i believe in full disclosure.

i don't like that you are trying to force YOUR opinion down around MY head.

if i want to release information about a potential security threat. i do it.
you should only be glad that im not trying to use it.

I believe that is irresponsibility to the highest levels.    Posting a bug like that isn't helpful to anyone...  look I follow the Ubuntu policy on bug requests...  send it privately to the developers..  give them a chance to fix it.. then publish what went wrong...

You don't send it out the other way... where you publish it publicly .. allow a billion people to hack into the system...  then claim "i was doing the right thing" ...  that's not the right thing... that's akin to me publishing your banking username and password...  then saying "I was doing the right thing"  instead of telling you "you're username and password are compromised" ..

i believe in full disclosure as well... just give the guy a chance to fix it before you announce it...  I'm asking for a few hours... not a few days or weeks... 



Sometimes, there is no other option than full disclosure because security issues go unanswered so far as to be adopted by other businesses as acceptable practices. Private reports are great if they are digested and responded to in a timely fashion, however usually this is not the case. Most people who do find Bitcoin bugs do indeed submit them to the team directly, or commit a patch themselves.

makomk
Hero Member
*****
Offline Offline

Activity: 686


View Profile
August 04, 2011, 04:56:18 PM
 #49

If what you are saying is true, public disclosure in this case will give even worse results than the crash that occurs. It will give more people (in this disclosure case, script-kiddies) the ability to exploit mtgox.
You'd think so, but the window for exploiting this kind of vulnerability once it's been publicly exposed generally seems to be too small for anyone to actually do so profitably. Generally the person publicly announcing it only provides a minimal proof-of-concept that's enough to show the issue exists and a lot of effort is still required to use it maliciously.

Quad XC6SLX150 Board: 860 MHash/s or so.
SIGS ABOUT BUTTERFLY LABS ARE PAID ADS
Tasty Champa
Member
**
Offline Offline

Activity: 84


View Profile
August 04, 2011, 07:50:08 PM
 #50

Most everyone that is running anything important is in the channel, so all you have to do is tell them privately there. Then if someone finds something, give them an adequate reward for not being a complete dip shit chicken little.
indicasteve
Full Member
***
Offline Offline

Activity: 140



View Profile WWW
August 04, 2011, 08:13:43 PM
 #51

Do what I do...just pay the guy a bounty!

I put out a bounty to find bugs on my demo site and Kokjo stepped up and found some things I would have never thought of....like who knew 'inf' as a form input gets parsed as a valid float?

He sent me some bugs in PM and I appreciate his help.

Art Express!  Native American Art, Crafts and Weapons!  coingig.com/ArtExpress
Tasty Champa
Member
**
Offline Offline

Activity: 84


View Profile
August 04, 2011, 09:49:16 PM
 #52

Do what I do...just pay the guy a bounty!

I put out a bounty to find bugs on my demo site and Kokjo stepped up and found some things I would have never thought of....like who knew 'inf' as a form input gets parsed as a valid float?

He sent me some bugs in PM and I appreciate his help.

you are a smart fellow. Smiley
Rodyland
Hero Member
*****
Offline Offline

Activity: 499


View Profile
August 05, 2011, 12:17:00 AM
 #53

i don't care, about the other users.

Sums himself up right there perfectly.

Beware the weak hands!
1NcL6Mjm4qeiYYi2rpoCtQopPrH4PyKfUC
GPG ID: E3AA41E3
bitplane
Sr. Member
****
Offline Offline

Activity: 321

Firstbits: 1gyzhw


View Profile WWW
August 05, 2011, 12:26:28 AM
 #54

I agree that Flexcoin should learn from this and lead the way by giving bounties and offering up a clear bug-resolution policy. Pay a reasonable fee for each vulnerability, allow the researcher to publish after a fixed period of time (regardless of whether the bug is fixed or not), and list all fixed vulnerabilities on the site along with the bounty paid.

A history of this sort of security policy would be strong evidence that sites that hold BTC are both secure and honest about their shortfalls.
Pages: « 1 2 [3]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!