Replying to Avatar lontivero

I reported a double-spending bug in Cashu, and they asked me not to disclose it for one year.

Floppy found a DoS vector, received a grant for it, and gave them how much time? Two weeks? Not happy with that, they threatened to attack the mints. What attracts these kind of psycos to the FOSS circles?
Avatar
kidwarp 1mo ago đź’¬ 1

A one year disclosure in this space is unacceptable imho…

Issue with stuff like this needs to be addressed and fixed asap and not shelved for a year…

Immediate disclosure was the right thing to do imho…

Reply to this note

Please Login to reply.

Discussion

Avatar
g4tt0 1mo ago đź’¬ 3

bad take and fundentally incorrect

assesment and fixing take time, rollouts even longer, if the bug is protocol level all clients and mints would need to patch before disclosure. Sure the 'fix' in this process may be immediate but the rollout and post-patch assessment is very important and takes time.

immediate disclosure benfits only skriptkiddies and malicious actors. These aren't new ideas, we stand on the shoulders of cybersecurity wizards and years of research on how to best innoculate a in-production coding project from bugs and potential exploits.

Avatar
kidwarp 1mo ago

I totally disagree.

Cashu/ecash is beta software for the most part…

Disclosures should happen immediately…

Avatar
g4tt0 1mo ago

fair enough, we sit on different sides of the fence on this one kidwarp

(hug)

Avatar
lontivero 1mo ago

The software is beta but the money is not, it is real money.