<r​brunner7:monero.social> Maybe I am dumb. HackerOne says "This report has been disclosed." but I don't see any details, can't seem to read anything from the conversation, hardly know anything more now than what this was about, on a conceptual level. Is this already "disclosure"? Is there a second level of "disclosure" with more details?

monero-project/monero #9765 was the PR that fixed that vulnerability

TLDR it was possible to make monerod allocate too much RAM while serving many RPC requests in parallel

r​brunner7: it's a limited disclosure, the issue submitter requested it this way

<o​frnxmr:xmr.mx> sech1 thats a different one

<s​yntheticbird:monero.social> At my understand of it, no, there is no second level of disclosure provided by H1.

<s​yntheticbird:monero.social> also yeah ofrnxmr is right. sech1 this is a different vulnerability

<s​yntheticbird:monero.social> i hope whoever find this one in particular will disclose it in details

<a​ck-j:matrix.org> These DOS issues are why I think it is so important to develop RPC fuzzing harnesses for monerod. I’m soliciting quotes from different firms currently for MAGIC. If anyone knows someone willing and able to write c++ fuzzing harnesses compatible with afl++ please reach out.

<s​agewilder:unredacted.org> From my analysis, the network code, especially the epee section, would better benefit from an extended peer review, and some sections should be rewritten entirely.

<s​agewilder:unredacted.org> Fuzzing can be considered next.

<b​oog900:monero.social> the list of things that could do with a refactor is quite large ... :p

<s​pirobel:kernal.eu> maybe even get rid of epee entirely?

<s​agewilder:unredacted.org> I noticed that the recent release revealed that you made two disclosure, was Cuprate a catalyst of your findings ?

<b​oog900:monero.social> one of them yes, the other no but I used Cuprate crates to make PoC for both.

we do have some fuzz tests: github.com/monero-project/monero/tree/master/tests/fuzz

<s​yntheticbird:monero.social> we can't sir

<s​yntheticbird:monero.social> be more precise

<s​pirobel:kernal.eu> lordoftheepee.png

<s​yntheticbird:monero.social> LMAO