-
m-relay
<sagewilder:unredacted.org> I have issues with this document. This is why I'm reaching out here.
-
m-relay
<ofrnxmr:monero.social> What issues are you having?
-
m-relay
<sagewilder:unredacted.org> Luigi1111's PGP key is insecure rsa2048, has been generated 7 years ago and the e-mail it is attached to (luigi1111w⊙gc) do not correspond to the point of contacts description (luigi1111⊙go).
-
m-relay
<sagewilder:unredacted.org> Moneromooo's PGP key has expired last month (2024-11-16).
-
m-relay
<sagewilder:unredacted.org> I'm wondering if the PGP keys and/or VRP document are current or if they may be outdated.
-
m-relay
<sagewilder:unredacted.org> It is also unclear to me if:
-
m-relay
<sagewilder:unredacted.org> > Please, CC all points of contact if you decide to use email instead of HackerOne
-
m-relay
<sagewilder:unredacted.org> means that I should both send an e-mail to Luigi and direct message moneromooo on libera with a pastebin link of the report encrypted with their pgp key?
-
plowsof
-
Albassort
Hey, i saw that Bisq 2.0 is going to support Monero?
-
m-relay
<syntheticbird:monero.social> Albassort -> #monero or #monero-community
-
m-relay
<sagewilder:unredacted.org> plowsof, thank you for the link. Should I include luigi in the process as well with their rsa2048 PGP key?
-
plowsof
if rsa2048 is broken then the dev team need to be notifieed appropriately via hacker one. thank you
-
m-relay
<sagewilder:unredacted.org> I cannot sign in HackerOne.
-
m-relay
<syntheticbird:monero.social> luigi1111 is already aware
-
m-relay
<syntheticbird:monero.social> when will he update it is unknown
-
m-relay
<syntheticbird:monero.social> realistically there is only h1
-
m-relay
<syntheticbird:monero.social> yes it sucks, feel free to spark a scandal about that because holy shit is this VRP broken
-
moneromooo
Best way to get ignored though.
-
moneromooo
So not a good suggestion :)
-
m-relay
<syntheticbird:monero.social> ok true that wasn't smart towards a newcomer
-
m-relay
<syntheticbird:monero.social> still there needs to be some fixing
-
moneromooo
In order to be some fixing, there needs to be some time volunteering.
-
moneromooo
Like, I mostly hang around nowadays.
-
moneromooo
selsta does most/all of the H1 care and feeding fwiw.
-
moneromooo
(AFAIK)
-
moneromooo
I guess if H1 isn't an option, pastebin an armored version and I'll point to the relevant person (or fix it if I can).
-
m-relay
<syntheticbird:monero.social> yes selsta and jeffro are doing the h1 work. It's fine to not be available but at least change the point of contact because for people that don't wanna go over h1 they have nowhere to go
-
m-relay
<rbrunner7:monero.social> Before anybody freaks out: RSA-2048 is not "broken", but sure not recommended anymore.
-
m-relay
<syntheticbird:monero.social> Alright moneromooo, it's what is in the VRP, can we at least mark to expect some delays when dming IRC. I'm not trying to act like a spoiled child, but that's just not very formal imo.
-
m-relay
<syntheticbird:monero.social> selsta or jeffro256 should also be point of contact
-
moneromooo
Sure.
-
m-relay
<syntheticbird:monero.social> Let's goooo
-
moneromooo
Ask first if they're OK with being listed though.
-
m-relay
<syntheticbird:monero.social> of course
-
moneromooo
I'm OK with being delisted (also OK with not being).
-
m-relay
<syntheticbird:monero.social> ack.
-
moneromooo
Though if you keep me in, mention I'm backup/secondary ?
-
m-relay
<syntheticbird:monero.social> That would be ideal
-
moneromooo
ty
-
m-relay
<rbrunner7:monero.social> Wanna get rich? Factor a RSA-2048 key and pocket USD 200,000:
en.wikipedia.org/wiki/RSA_Factoring_Challenge
-
moneromooo
Hopefully before having spent 200,000 in power costs.
-
m-relay
<sagewilder:unredacted.org> Thanks for the info, I'll wait for things to clear up before proceeding, and if taking too long, I'll reach moneromooo.
-
ofrnxmr
Just reach moneromoo right now lol
-
plowsof
important matters as these can not be rushed. please give sagewilder some space to consider all options carefully
-
m-relay
<sagewilder:unredacted.org> It give me opportunity to do some clean up, and also continue searching. I won't let it drag on.
-
plowsof
.merges
-
xmr-pr
8929 9122 9172 9176 9286 9290 9336 9376 9380 9381 9389 9395 9400 9441 9445 9451 9452 9454 9457 9469 9475 9481 9490 9501 9502 9504 9505 9506 9507 9510 9511 9512 9515 9518 9525 9527 9529 9530 9531 9532 9533 9535 9536 9537 9540 9541 9542 9543 9548 9549 9554 9556 9558 9560 9565 9574 9577 9580 9581 9583 9584 9585 9589 9590 9592 9593 9607 9614 9615 9616
-
sech1
wow, that's a lot
-
ofrnxmr
70
-
selsta
syntheticbird: I'm helping with managing H1 website but I would prefer if someone else volunteers as point of contact in the document
-
m-relay
<syntheticbird:monero.social> all fine selsta.
-
m-relay
<syntheticbird:monero.social> waiting on jeffro response then
-
m-relay
<jeffro256:monero.social> I would be okay being listed as a point of contact for vulnerabilities, but I need to tighten my key security before then
-
m-relay
<jeffro256:monero.social> My main PGP key that I use for day-to-day tasks is stored on a computer which has a lot of software running on it and touches the internet
-
m-relay
<jeffro256:monero.social> I don't have a root PGP key posted anywhere, nor a PGP key that is suitable for ultra-sensitive communications
-
m-relay
<syntheticbird:monero.social> let's gooooooo
-
m-relay
<syntheticbird:monero.social> np, feel free to communicate when you have setup your opsec, I'll make a PR to edit VRP when you're ready
-
m-relay
<sagewilder:unredacted.org> For obtaining a valid e-mail address to register over HackerOne I need a secondary non-Proton e-mail address. Would it be possible that someone let me borrow his inbox for validation?
-
ofrnxmr
Just encrypt a dm to moneromooo
-
m-relay
<siren:kernal.eu> sagewilder: use
mail.gw it works when registering with HackerOne
-
m-relay
<sagewilder:unredacted.org> This is successful, thank you, I didn't know this service existed.
-
m-relay
<sagewilder:unredacted.org> And sorry for the odd request.
-
m-relay
<sagewilder:unredacted.org> ofrnxmr, HackerOne is often a better support for media, discussions and transparency imo. I would have still messaged moneromooo if I hadn't had a choice.
-
tobtoht_
merges for christmas?