0 sats \ 2 replies \ @conduition OP 8 Sep \ parent \ on: Mercury Layer Vulnerability Disclosures Report bitcoin
xD no no no, @tptrevethan and I had a very reasonable discussion of how to handle this and roll out fixes. I offered to give Mercury as much time as they needed to roll out fixes, but then Mercury went ahead and published the vulnerability report on Twitter. Only after seeing that did I publish it to my blog as well. The cat was already out of the bag at that point.
@conduition Thanks for the clarification.
Look, one piece of advice if a vulnerability report is to be quite clear in giving a disclosure timeline ahead (and fair to update in flight if they are mitigations developed and deployed). If the report is done outside of a bug bounty program with no rules of engagement, picking up a timeline is really on your shoulders. In the situation of very low funds exposed, as apparently it’s the case here, giving 2 weeks of warn-up would have been very good courtesy. My IMHO only.
reply
Thanks and good point. I'm new to this and wasn't expecting mercury to unilaterally publish without asking me first. My mistake was in not being explicit about timeline with them, and also Tom admitted that he thought my vulnerability report (given over a private link to my website) was publicly accessible on my blog (it wasn't). That's why mercury rushed to publish fixes ASAP.
Miscommunication all around and a good learning experience for next time in a low-stakes environment
reply