16:01:53 "can you reproduce the same..." <- is the DNS leak expected behavior when the flag isn't set? 16:06:04 r4v3r23[m]: I don't see anything in monero-wallet-cli that uses DNS, that's why I'm curious if you can reproduce the issue with it. 16:08:45 There's the old fork mitigation shite. 16:08:55 Unless that got removed recently. 16:09:22 I think it got removed 16:10:14 https://github.com/monero-project/monero/pull/8408 17:25:46 Hey everyone 17:25:46 I have find some vulnerabilities and loop holes in the XMR chain that can make any coder work on it and make it traceable 17:26:16 Now I am no coder so I am not reporting it on Vulnerability responses 17:26:45 But I simply wanna tell these loopholes in return for reward 17:26:52 What is the right place for it 17:27:06 https://hackerone.com/monero 17:28:53 I sumbit the report here and IF they find my exploit real I get rewarded? 17:29:40 you submit it as a report on https://hackerone.com/monero and yes only if your reports are valid you get rewarded 17:29:43 not here in this chat 17:29:46 If it's not know yet, and it depends on the subjective "danger" of it and ease of exploiting it. 17:30:13 And if it's our bug. 17:32:01 great thanks buddies 17:32:25 has anyone recieved a bigger bounty then what IRS was offering 17:33:03 Improbable 17:33:10 If there was such a vulnerability in Monero with such a big reward (+600k $) I think it would be invisible 17:33:40 Not the vulnerability but the bounty and the reward 17:35:03 Hmmm, after something like that there would be some quite suspicious PRs submitted. Not sure you can pull something off in this way. 17:36:46 suspicious PRs? 17:37:20 Yes. PRs with changes where nobody has an idea what they are for. Because some vuln is to be kept secret forever, as per your scenario. 17:37:37 Or why they are made exactly now, with which motivation 17:38:00 I see 17:38:06 Well trust me I am no coder but real good at finding the loopholes But i would rather help my community 17:38:23 I just hope community is generous enough 17:38:28 And a vuln that we leave open, in the style of "security by obscurity" is pretty much ruled out, IMHO 17:38:39 If somebody found out, more will 17:39:24 one such PR: https://github.com/monero-project/monero/pull/1744 17:39:27 DanishHassan[m]: Be aware that such behavior of showing only interest for the reward is prohibited on Hacker One. You can't do things like giving some vulns and then say you've more. 17:39:43 The real question is - have you watched breaking monero? 17:40:29 To get a picture of what must be the absolute upper bound for any bounty: https://www.getmonero.org/2021/06/24/general-fund-2020-2021-report.html 17:40:31 someoneelse49549: Sure any more tips? 17:40:45 As a non coder, perhaps youve missed that the exploit is already being worked on etc. 17:41:12 DanishHassan[m]: Be professional, and try to propose a solution or a patch. 17:42:50 Great help guys thanks alot 17:43:21 (jeez i see i sound like im being rude). I mean to say, the people here will help you if you have roadblocks 17:43:47 May even right the issues and fixes for you. 17:44:48 But just make sure you get a good grasp of the problem, and if its already known, and a preferrably a proposed solution if necessary to proceed 17:45:30 Write* the issues. 17:47:39 One hackerone I can simply list the vulnerability points in order for devs to work on them right? 17:48:35 As long as the devs understand your report and approve the existence of this vulnerability, it should be good to go 17:48:36 Yes, but it needs to be unambiguous enough. When we get muddled stuff that's not precise and we don't see a vuln and the reporter can't explain better -> closed. 17:51:12 i notice there exist reports older than a year undisclosed, is there an intent from the team to still eventually disclose them? 17:52:04 Maybe related to OSPEAD stuff which is still in the works? 17:52:35 that would make sense, and i'd expect them to eventually be disclosed if that's the case. 17:52:36 At least one of them 18:05:12 Is getmonero.org build compiled with gcc or clang? 18:06:51 depends on the operating system 18:07:13 linux gcc, macos clang, freebsd also clang i think 18:08:38 why not linux clang? if people build it I would understand they have gcc by default, but since you compile it 18:14:23 one advantage is a critical compiler bug won't affect all users 18:14:53 android_CC=$(host_toolchain)clang 18:14:53 linux_CC=gcc 18:14:53 linux_CC=gcc 18:14:53 linux_CC=$(default_host_CC) 18:14:54 linux_CC=$(default_host_CC) 18:14:56 darwin_CC=clang 18:14:58 freebsd_CC=clang-8 18:17:41 someoneelse49549: "why not linux clang?" I think it's just that the default on ubuntu is gcc (on the version of ubuntu used by depends) 18:19:47 jtgrassie: oh that make sense 18:26:08 "To get a picture of what must be..." <- BinaryFate posted an update this year. Perhaps it should also be a blog post on getmonero.org. https://www.reddit.com/r/Monero/comments/11fslu9/monero_general_fund_transparency_report_march_2023/ 18:28:16 we discussed that earlier today in -community and BF said he'll post to the blog 19:02:31 I am once again asking to RTFM: https://github.com/monero-project/meta/blob/master/VULNERABILITY_RESPONSE_PROCESS.md#v-bounty-distribution 19:03:14 The max bounty payout is defined there (unless the content in the link to forum.getmonero.org is out of date)