hello! i was wondering what the hackerone bounties are, the reporting document links to a old page thats now a dead link which has the bounty pool amount (1500 xmr in apr 2025 was the last snapshot, wow) and i was wondering if there was like a new forum or anything for it

luigi1111 i'd figure you'd know as your one of the security contacts :)

anyone here?

<rottenwheel:unredacted.org> usagirabbit yeah, apparently...

The hackerone fund is more or less just case by case. A few xmr up to like 100+ depending on severity

i see thanks for letting me know

i reported a high severity :)

usagirabbit: what did you find?

high level?

RCE? or protocol issue

BoBeR182 im not too sure im supposed to disclose it, but its not a rce which would be critical :)

is it remotely exploitable

wdym

I'll shutdown my node until a patch comes out

oh noo

its not that scary

well

it involves nodes yes

but

yeah

im not gonna disclose more than that

so shutdown my node or not?

dont

it took me a while to discover it lmao

u should be sage

safe*

sounds like something an attacker would say

LOL

dont worry

there's agencies working 24/8 to compromise xmr

Im Totally Not State SponsoredTM

if you as a single user figured it out...

i submitted it to hackerone responsibly

im not a threat actor i swear!1!!!!!11

however i did use ai to look for potential weaknesses

(disclosed on the report, dont worry!)

so yeah

i just got like gpt 5.4 to scrape the entire codebase and look for stuff that could be high/critical

so far i havent found a critical yet, but only time will tell

were you able to reproduce it independently

or is it just theoretical

and a hallucination?

yes

i reproduced it independently

GPTslop has ruined many bug bounty programs

LOL

welp

did you offer a patch to fix it+?

yes

that is awesome!

well not really a patch

well go make one

i just told them what they could do to patch it

that would actually help

you should open the PR

it has a PoC and everything too

im not gonna open the pr cuz

i dont want it exposed

YET

it could take down uh

some nodes

forcefully

you can mark sensitive PRs

those exist in github

does it private it?

ahh

sounds like DoS

dang it!

ya figured it out LOL

that could be used to deanonymize certain actors

is it a memory corruption that can be DoS leading to RCE

uuhhhh

no

no code injection

the closest thing i can get into about it thats somewhat nontechnical is a ram leak

a threat actor can crash likee

a shit ton of nodes

esp if they are state sponsored

i think gpt 5.4 found another high/critical

but its kinda weird

its related to multisig

the first bug i found on monero is exactly CVSS 3 score 7.5!

<ufo808:matrix.org> There was multisig issue before

<ufo808:matrix.org> It was fixed

ahh

when?

yesterday?

<ufo808:matrix.org> And I think I already saw some monero DoS on hackerone before, like multiple of them

<ufo808:matrix.org> usagirabbit: Years ago

oh

years ago?

no these are recent

unpatched

ive tested them

<ufo808:matrix.org> @ufo808:matrix.org: But maybe I’m trippin balls

no ur right

i have the latest repo

for monero

from the github

it works

<ufo808:matrix.org> Interesting

a state actor can like

nuke a shit ton of nodes

if they are in the right place

so if they do a sustained attack of this

it can be basically wraps

soo

and i found another dos

omfl

<ufo808:matrix.org> Can you nuke spy nodes then? Thanks

i cant uhh

select them

its kinda indiscriminate

LOL

uhm

i think i found another one

Rough CVSS: 8.6 High

ih wait

i found the one i already reported

LOOOOOOOOL

profound stupidity

the good thing about spamming this chat is that you would have disclosed the vuln already and not eligible for reward

?

wat

ohh

about the one im looking for

LOL

nah

if i found one

ill just say ill found one

i wont go into detail abt it if its that bad

your report is "gpt 5.4 to scrape the entire codebase and look for stuff that could be high/critical"

lol

😭😭

i mean

ur not wrong

you're welcome

broo

im using copilot write

dude

im genuinely fried

i just wrote right as write

yeah stop spamming

its 12 am😭💔

gpt 5.4 keeps stopping

#OPENAIISLYINGABOUTMULTIHOURCODEXRUNS

hes back

the nsa killed him and he ressurected

did you DoS me

yes i did bober

i work for the nsa

#rced #itswrapsforyou

(joke obviously)

hello

<kiersten5821:matrix.org> dos is high?

<ravfx:xmr.mx> dos=high,umb

<kiersten5821:matrix.org> umb meaning?

<ravfx:xmr.mx> Upper High Memory

<ravfx:xmr.mx> oh non, Upper Memory Block... I think

<kiersten5821:matrix.org> and what does that mean

<ravfx:xmr.mx> You too young

<kiersten5821:matrix.org> feel like you're trolling me

<kiersten5821:matrix.org> but i dont get it

<kiersten5821:matrix.org> 😔

<ravfx:xmr.mx> Back in the days, one would ideally want to load dos in HIGH and the left over in the UMB, that and as much drivers as possible.

<ravfx:xmr.mx> The UMB where block of memory that could be freed Between A0000-FFFFF, usually between C8000-EFFFF.

<ravfx:xmr.mx> Doing so would free conventional memory (the first 640K). So DOS games that need a lot of it would have enough memory

<ravfx:xmr.mx> Things like QEMM would allow remapping the BIOS out of F0000-FFFFF, adding an extra 64KB

On my node I'm getting error "Transaction not found in pool" every minute or so. Is that cause for concern?

<ofrnxmr:xmr.mx> Are you mining?

Yeah, with p2pool connected to my node

<ofrnxmr:xmr.mx> Other p2pool peers are mining blocks that have txs that youe node doesnt have

<ofrnxmr:xmr.mx> Your node tries to broadcast them hut shows that error because your node is missing txs that are in the submitted block

What would cause that happen? Is that normal? Am I not syncing fast enough or something?

<ofrnxmr:xmr.mx> Selfish mining of txs

So it's other nodes that are causing that to appear?

<omurad:matrix.org> Yes

<ofrnxmr:xmr.mx> Its p2pool peer's node that are causing it to appear*

<ofrnxmr:xmr.mx> Not nodes that your node is directly connected to