[2020-09-12]Researcher kept a Bitcoin bug secret for 2 years to prevent attacks

[Karartma1]

In 2018, a security researcher discovered a major vulnerability in Bitcoin Core, the software that powers the Bitcoin blockchain, but after reporting the issue and having it patched, the researcher opted to keep details private in order to avoid hackers exploiting the issue.
Technical details were published earlier this week after the same vulnerability was independently discovered in another cryptocurrency, based on an older version of the Bitcoin code that hadn't received the patch.
https://www.zdnet.com/article/researcher-kept-a-major-bitcoin-bug-secret-for-two-years-to-prevent-attacks/

[1715571549]

1715571549

[1715571549]

1715571549

[1715571549]

1715571549

[1715571549]

1715571549

[1715571549]

1715571549

[hv_]

Some critical business (e..g railway,...)  with very high standards have to wait up to 10y to be 'allowed' to use a new tech for the public to be settled - exactly for that reason.

All such forks (hard/soft) and alterations happening to bcore, bcash, eth, .. are just a nightmare / nogo for any enterprise business btw

[thirdkiller]

In any case, over time, hackers would have found this vulnerability, I'm sure of it.

[Harlot]

I think they have done right on doing so. Vulnerabilities where it hasn't been resolve yet shouldn't be disclose to anyone not unless the vulnerability is related to users doing a certain action like how older versions of Electrum are bring controlled by hackers. By staying silent they are giving themselves time to fix the issue not worsen the scenario where hackers might have the idea of doing the vulnerability said by them.

[InvoKing]

In any case, over time, hackers would have found this vulnerability, I'm sure of it.

Fixing the bug quickly will prevents any harm for users keeping their software up to date. Using an old version is not recommended and always risky 

[Kakmakr]

Is there some kind of reward for people to receive if they find vulnerabilities like this? Who would be funding such a reward, if it does exist?  I know exchanges and wallet providers will offer a reward, if someone finds an exploit in their code, but we know where they get there funds from. 

In any way, most people are invested in Crypto currencies that has the knowledge to find these so-called "bugs" ...so it is in their best interest to keep it a secret, because it will have a major influence on the value of their own hoard.. if the exploit is made public before it is patched. 

[gentlemand]

A nice little litmus test of the competence and vigilance of the developers who are using the same basis for other coins. My bet is that hardly any of them will care or understand nor will their handful of users. There'll be shitcoins with gaping vulnerabilities that were long ago dealt with on the better run platforms.

[bbc.reporter]

This is very old news and the bug was fixed already. What is the writer of the article doing by putting this back on the surface again? I am skeptical, however, I do speculate that there are people behind this.

[Harlot]

This is very old news and the bug was fixed already. What is the writer of the article doing by putting this back on the surface again? I am skeptical, however, I do speculate that there are people behind this.

According to the article this bug only re-emerge because the vulnerability that the had found on Bitcoin was also seen on another cryptocurrency named Decred which I think is the reason why they also have revealed that they saw it on Bitcoin earlier because Decred was based on an older version of the Bitcoin code. Other cryptocurrencies that are also based on Bitcoin's code are also vulnerable and maybe that is why they came out of it to make the developers be able to handle the issue for their own respective projects.

[bbc.reporter]

@Harlot. However, the title of the article is clickbait that implies something else. I am shaking my head on why many mainstream news outlets have the need to do something like this.

[slaman29]

Is there some kind of reward for people to receive if they find vulnerabilities like this? Who would be funding such a reward, if it does exist?  I know exchanges and wallet providers will offer a reward, if someone finds an exploit in their code, but we know where they get there funds from. 

Interesting question too. I know most blockchain projects have a bug bounty set aside from their own funds but those are all centralized ones. I guess Bitcoin doesn't have it maybe because it's just all these guys who are paid or volunteered to fix it at their own time. Probably why it takes 2 years to fix;)

[bbc.reporter]

@slaman29, @Kakmakr. Bug bounties have never existed in many opensource projects unless someone organizes this for them.

Also, agreed! Good question because what are the trying hard influencers in the B Foundation doing about this? They only want influence with no effort? I reckon organizing a bug bounty should be their job.

[gentlemand]

I would assume they assume that protecting Bitcoin itself is enough of a bug bounty. If you find a gaping hole it's likely you own some and don't want it flying down the toilet.