Reporting a vuln?
Started by KenAKAFrosty ·
I've bumped into a vulnerability in the reference impl (confirmed 1.3.7, human-reviewed lol, not just hallucinated nonsense) that can DoS announce propagation.
Blast radius is limited and there's no RCE or anything like that, but it's trivial to perform. And this doesn't seem like a tradeoff for some other benefit; it looks like it's just a small oversight, with a pretty straightforward path to fixing it.
Where's the best place to privately report the details now?
If you mean the fact you can just spam announces, there's a ratelimit system but it isn't on by default.
If you don't, contacting Mark over LXMF is probably best, and checking if he's online in the rrc hub general room and pinging him there might also work.
Anonymous wrote:
If you mean the fact you can just spam announces, there's a ratelimit system but it isn't on by default.
If you don't, contacting Mark over LXMF is probably best, and checking if he's online in the rrc hub general room and pinging him there might also work.
Thanks, and yeah I definitely don't mean just spamming announces, this would have to be specifically malicious in a certain way
You can send me the details over LXMF or email, and I'll have a look at it immediately.
Mark wrote:
You can send me the details over LXMF or email, and I'll have a look at it immediately.
Thanks, Mark!! Just emailed you (a light bump in urgency since first discovery)