API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jun 25th, 2018
482
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.49 KB | None | 0 0
raw download clone embed print report
  1. Hey everyone! We wanted to acknowledge the current back and forth between members of the community, particularly u/mtlynch, and the Siaberry dev team.
  2.  
  3. For the unaware: Siaberry makes a Linux-based OS for using Siacoin. mtlynch recently published a post on his blog (link) and a post here on Reddit regarding security vulnerabilities that he found in the Siaberry software.
  4.  
  5. The Sia community has a long history of wonderful users and contributors, which is why I’m disappointed in how this issue was handled by both sides.
  6.  
  7. First, a note about responsible disclosure. When someone smart finds a security vulnerability in a piece of software, they can do a lot of things with it. Notably, they can exercise something called responsible disclosure - where they alert the development team to the vulnerability, and give them a period of time to fix it before publicizing it.
  8.  
  9. ## Regarding mtlynch
  10.  
  11. We don’t feel that mtlynch’s post was made following responsible disclosure practices. While he alerted the team to the vulnerability, they couldn’t align on a timeline for the fix. mtlynch proposed 60 days, while kete proposed six months. In the very article mtlynch linked to regarding responsible disclosure in his blog post detailing the vulnerability, there are eight examples given that also quote timeframes for implementing a fix. Of those eight, six are five months or longer.
  12.  
  13. While 60 days may have been enough time for the short term fix, it’s not unreasonable to require more time for the longer term fixes from a part-time dev team.
  14.  
  15. We also feel that it’s not constructive, nor within the spirit of the Sia community, to release a post on why to stay away from a project in the Sia ecosystem a day after a questionable disclosure timeline.
  16.  
  17. ## Regarding Siaberry
  18.  
  19. The Siaberry team’s reaction to the disclosure and subsequent handling of the situation has been poor. In order for any project to succeed, it needs to define how it operates when under pressure, and how it presents itself to the world. I don’t feel that Siaberry has done either of things well with their responses to critics regarding this issue.
  20.  
  21. I would also expect a dev team to express greater concern when presented with vulnerabilities, especially when the product they make involves user funds and files.
  22.  
  23. I hope we can all move forward from this better for it. There’s going to be growing pains associated with any project that people are passionate about, and this is one of those pains. And there will be more, guaranteed.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!