Despite the security community's best effort to educate the industry about security response, many companies still don’t publish an email address to securely receive information about flaws in their products. In the absence of a vulnerability disclosure policy, security researchers who attempt to report vulnerabilities often encounter considerable legal and sometimes even life-threatening risks.
This was the situation of Cory Fields, a bitcoin (BTC) core developer who discovered a critical vulnerability in Bitcoin Cash (BCH) (not to be confused with Bitcoin [BTC]).
While reviewing a portion of BCH’s transaction signature verification code, Cory noticed that the functions omitted a critical check of a specific bit in the signature type. This omission would have allowed a specially crafted transaction to split the Bitcoin Cash blockchain into two incompatible chains. The undesired behavior creates a critical flaw because when the Bitcoin chain splits, the miners must choose the longest chain and ignore all the other transactions from the shortest chain. As a result, all transactions would be invalidated, and no coins would be exchanged.
In the case of Cory, if someone exploited the flaw, he would have no way to prove that he was not the attacker. Billions of dollars were at stake, as well as, quite possibly, his safety. Cory wanted to do the right thing by disclosing the finding to the competitor cryptocurrency, but to make matters worse, Bitcoin Cash had no responsible disclosure policy and no public PGP keys listed for the lead developers, which was needed to securely exchange the information.
Cory’s workaround was first to create a throwaway GitHub account using Tor and then to send a message to one of the core BCH developers asking for his PGP key. Eventually, the sensitive information was disclosed and the flaw was fixed.
Decentralized systems based on technologies such as Blockchain rely on voluntary upgrades and consensus to work. If exploited, validation flaws can break the consensus, resulting in invalid transactions that can undermine the trust in solutions based on this technology.
Because flaws are inevitable, companies working in this space must have a mature responsible disclosure policy — and the policy must take into consideration the safety of the security researcher who provides the ability to report findings anonymously.
About Cassio Goldschmidt
Cassio Goldschmidt is an internationally recognized information security leader with a strong background in both product and program-level security. His past leadership experience includes services at AON/Stroz Friedberg, NCR Corporation, Intuit, Syperplayer, Symantec Corporation, and Cisco Systems.