11:52:54 <midipoet> is there a process for assessing vulnerabilities for library/software dependencies in the monero codebase? (if there is, it is detailed anywhere?)
11:53:23 <midipoet> or do we depend on hackerone for this?
13:01:50 <m-relay> <s​yntheticbird:monero.social> midipoet: The most publicized way of learning about potential vulnerabilities in dependencies is through CVE and release bulletins. In 95% of the case it requires the project itself to report publicly the vulnerability, which happens very rarely (even linux hid vulnerability fix in bug fixes, tho now they don't care since they became CVE authority and obfuscate everything). If a p<clipped
13:01:51 <m-relay> <s​yntheticbird:monero.social> roject decide to fix something but not report it there is no way you'll ever know. Sometimes it happens that a CVE authority will fill a CVE for a vulnerability that has appears but not talked publicly. Hackerone is also offtopic. It's only used for vulnerability reporting and bug bounties. There are zero guarantees that a report will lead to a CVE being filled.
13:04:55 <m-relay> <s​yntheticbird:monero.social> I mean yeah you could check out for disclosed reports, but not everyone is disclosing it and sometimes its censored
13:05:01 <m-relay> <b​asses:matrix.org> I would report it to the maintainers of said dependency, then ask whether it is ok to warn X project (Monero for example) that is using your dependency.
13:07:32 <m-relay> <b​asses:matrix.org> but I would just report the issue to Monero immediately after informing the maintainers of that library/dependency as they are affected too.
19:43:22 <m-relay> <3​21bob321:monero.social> Hacker one ?
22:01:00 <midipoet> syntheticbird: so basically we don't have any formal, or informal, process to check for vulnerabilities in dependencies?
22:03:14 <midipoet> What's stopping a state actor targeting a software/library dependency of Monero to bring down our network then? Surely that's easier than a 51% attack, or other potential means of targeting the protocol/network. Or is that just not that feasible?
22:06:01 <m-relay> <s​yntheticbird:monero.social> midipoet, fortunately monero is pretty resilient to supply chain attack compared to say Cuprate. The only plausible target would be miniupnp, supercop and randomx are freezed, rapidjson is not even used afaik and maintained by Tencent, and gtest is maintained by Google and optional.
22:07:14 <m-relay> <s​yntheticbird:monero.social> and you have to take into account the scope of the dependency usage
22:07:38 <m-relay> <s​yntheticbird:monero.social> if we talk only vulnerability then all the dep excluding miniupnp represent zero risk
22:07:44 <m-relay> <s​yntheticbird:monero.social> oh wait there is also zmq
22:07:56 <m-relay> <s​yntheticbird:monero.social> I'm stupid i forgot like the majority of dependencies
22:08:01 <m-relay> <v​tnerd:monero.social> Rapidjson is used by zeromq only and should be pinned to a specific version
22:08:39 <m-relay> <s​yntheticbird:monero.social> yeah i see that thx
22:08:51 <midipoet> Ok, thanks for the explanation and context. 
22:09:54 <m-relay> <v​tnerd:monero.social> But yeah dependencies are always sketchy, and overlooked frequently
23:04:55 <m-relay> <k​ayabanerve:matrix.org> The argument would be Monero is more at risk of issues due to self-vendoring a complete bespoke library referred to as epee, which lead to major DoS issues on the network years after the fact, and that using well-known, community-reviewed packages produce higher quality outcomes
23:38:01 <m-relay> <v​tnerd:monero.social> I don't know if that's accurate, I recall a number of the issues were in the p2p layer outside of epee. There isn't necessarily a library that does _everything_ such that it would prevent dos
23:39:01 <m-relay> <v​tnerd:monero.social> in fact only one was in the epee?
23:42:33 <m-relay> <s​gp_:monero.social> I think it's just a general point that sometimes good libraries can be better than neglected code :)
23:48:11 <m-relay> <s​gp_:monero.social> But obviously not always