-
r4v3r23[m]
<selsta> "can you reproduce the same..." <- is the DNS leak expected behavior when the flag isn't set?
-
selsta
r4v3r23[m]: I don't see anything in monero-wallet-cli that uses DNS, that's why I'm curious if you can reproduce the issue with it.
-
moneromooo
There's the old fork mitigation shite.
-
moneromooo
Unless that got removed recently.
-
selsta
I think it got removed
-
selsta
-
DanishHassan[m]
Hey everyone
-
DanishHassan[m]
I have find some vulnerabilities and loop holes in the XMR chain that can make any coder work on it and make it traceable
-
DanishHassan[m]
Now I am no coder so I am not reporting it on Vulnerability responses
-
DanishHassan[m]
But I simply wanna tell these loopholes in return for reward
-
DanishHassan[m]
What is the right place for it
-
selsta
-
DanishHassan[m]
I sumbit the report here and IF they find my exploit real I get rewarded?
-
selsta
you submit it as a report on
hackerone.com/monero and yes only if your reports are valid you get rewarded
-
selsta
not here in this chat
-
moneromooo
If it's not know yet, and it depends on the subjective "danger" of it and ease of exploiting it.
-
moneromooo
And if it's our bug.
-
DanishHassan[m]
great thanks buddies
-
DanishHassan[m]
has anyone recieved a bigger bounty then what IRS was offering
-
rbrunner
Improbable
-
someoneelse49549
If there was such a vulnerability in Monero with such a big reward (+600k $) I think it would be invisible
-
someoneelse49549
Not the vulnerability but the bounty and the reward
-
rbrunner
Hmmm, after something like that there would be some quite suspicious PRs submitted. Not sure you can pull something off in this way.
-
someoneelse49549
suspicious PRs?
-
rbrunner
Yes. PRs with changes where nobody has an idea what they are for. Because some vuln is to be kept secret forever, as per your scenario.
-
rbrunner
Or why they are made exactly now, with which motivation
-
someoneelse49549
I see
-
DanishHassan[m]
Well trust me I am no coder but real good at finding the loopholes But i would rather help my community
-
DanishHassan[m]
I just hope community is generous enough
-
rbrunner
And a vuln that we leave open, in the style of "security by obscurity" is pretty much ruled out, IMHO
-
rbrunner
If somebody found out, more will
-
tobtoht[m]
-
someoneelse49549
DanishHassan[m]: Be aware that such behavior of showing only interest for the reward is prohibited on Hacker One. You can't do things like giving some vulns and then say you've more.
-
ofrnxmr[m]
The real question is - have you watched breaking monero?
-
rbrunner
To get a picture of what must be the absolute upper bound for any bounty:
getmonero.org/2021/06/24/general-fund-2020-2021-report.html
-
DanishHassan[m]
someoneelse49549: Sure any more tips?
-
ofrnxmr[m]
As a non coder, perhaps youve missed that the exploit is already being worked on etc.
-
someoneelse49549
DanishHassan[m]: Be professional, and try to propose a solution or a patch.
-
DanishHassan[m]
Great help guys thanks alot
-
ofrnxmr[m]
(jeez i see i sound like im being rude). I mean to say, the people here will help you if you have roadblocks
-
ofrnxmr[m]
May even right the issues and fixes for you.
-
ofrnxmr[m]
But just make sure you get a good grasp of the problem, and if its already known, and a preferrably a proposed solution if necessary to proceed
-
ofrnxmr[m]
Write* the issues.
-
DanishHassan[m]
One hackerone I can simply list the vulnerability points in order for devs to work on them right?
-
someoneelse49549
As long as the devs understand your report and approve the existence of this vulnerability, it should be good to go
-
moneromooo
Yes, but it needs to be unambiguous enough. When we get muddled stuff that's not precise and we don't see a vuln and the reporter can't explain better -> closed.
-
charuto
i notice there exist reports older than a year undisclosed, is there an intent from the team to still eventually disclose them?
-
rbrunner
Maybe related to OSPEAD stuff which is still in the works?
-
charuto
that would make sense, and i'd expect them to eventually be disclosed if that's the case.
-
rbrunner
At least one of them
-
someoneelse49549
Is getmonero.org build compiled with gcc or clang?
-
selsta
depends on the operating system
-
selsta
linux gcc, macos clang, freebsd also clang i think
-
someoneelse49549
why not linux clang? if people build it I would understand they have gcc by default, but since you compile it
-
UkoeHB
one advantage is a critical compiler bug won't affect all users
-
jtgrassie
android_CC=$(host_toolchain)clang
-
jtgrassie
linux_CC=gcc
-
jtgrassie
linux_CC=gcc
-
jtgrassie
linux_CC=$(default_host_CC)
-
jtgrassie
linux_CC=$(default_host_CC)
-
jtgrassie
darwin_CC=clang
-
jtgrassie
freebsd_CC=clang-8
-
jtgrassie
someoneelse49549: "why not linux clang?" I think it's just that the default on ubuntu is gcc (on the version of ubuntu used by depends)
-
someoneelse49549
jtgrassie: oh that make sense
-
kowalabearhugs-[
<rbrunner> "To get a picture of what must be..." <- BinaryFate posted an update this year. Perhaps it should also be a blog post on getmonero.org.
reddit.com/r/Monero/comments/11fslu…fund_transparency_report_march_2023
-
charuto
we discussed that earlier today in -community and BF said he'll post to the blog
-
Rucknium[m]
-
Rucknium[m]
The max bounty payout is defined there (unless the content in the link to forum.getmonero.org is out of date)