Responsible disclosures

Responsible disclosures were occasions when someone discovered a vulnerability in Bitcoin-related software and reported it to developers, affected users, and the public in a way that helped minimize harm.

This page lists occasions when Optech reported on a responsible disclosure and makes a best-effort attempt to cite the names of the people who made the disclosure. There are many other responsible disclosures not listed here, including those which have not been publicized yet.

Optech newsletter and website mentions

2024

• Eugene Siegel responsibly disclosed a Bitcoin Core block stalling bug affecting LN
• Niklas Gögge responsibly disclosed a consensus bug affecting btcd
• Matt Morehouse responsibly disclosed vulnerability affecting Core Lightning
• Niklas Gögge responsibly disclosed two vulnerabilities affecting LND

2023

• Antoine Riard responsibly discloses replacement cycle attacks affecting all HTLC-using software
• Matt Morehouse disclosed fake channels vulnerability against four major LN node implementations
• Milk Sad team disclosed CVE-2023-39910 insecure entropy in Libbitcoin bx command

2022

• Anthony Towns disclosed a DoS and potential funds loss bug in BTCD and LND
• Bastien Teinturier disclosed issue allowing funds loss from Core Lightning and LND

2021

• Ajmal Aboobacker and Abdul Muhaimin disclose cross-site scripting vulnerabilities in BTCPay Server
• Antoine Riard disclosed CVE-2021-31876 enhanced pinning against LN due to BIP125 discrepancy

2020

• Antoine Riard disclosed CVE-2020-26895 and CVE-2020-26896 allowing funds theft from LND
• Braydon Fuller and Javed Khan report CVE-2018-17145 DoS vulnerability to devs of full nodes
• René Pickhardt disclosed fee ransom attack affecting multiple LN implementations
• Saleem Rashid disclosed to Trezor an issue previously identified by Greg Sanders

2019

• Suhas Daftuar disclosed a bug that could temporarily exclude a Bitcoin Core node from consensus

2018

• Sergio Demian Lerner disclosed CVE-2017-12842 which allows stealing from SPV wallets
• Trezor team disclosed a bug in the C-language bech32 specification affecting multiple wallets
• Bitcoin Core developers quietly fix bug allowing invalid bitcoins after DoS report from Awemany
• Awemany disclosed CVE-2018-17144 as a DoS vulnerability in Bitcoin Core
• Cory Fields disclosed a consensus failure vulnerability Bitcoin ABC (Bitcoin Cash)

See also

• Common Vulnerabilities and Exposures (CVEs)

  
  

Previous Topic:
Reproducible builds Next Topic:
Schnorr signatures

Edit page
Report Issue