# Reporting a vuln?

_General · started by KenAKAFrosty on Mon, Jul 6, 2026 6:39 PM_

Tags: Discussion

---

## Original post

**KenAKAFrosty** · Mon, Jul 6, 2026 6:39 PM

I've bumped into a vulnerability in the reference impl (confirmed 1.3.7, human-reviewed lol, not just hallucinated nonsense) that can DoS announce propagation. 

Blast radius is limited and there's no RCE or anything like that, but it's trivial to perform. And this doesn't seem like a tradeoff for some other benefit; it looks like it's just a small oversight, with a pretty straightforward path to fixing it.

Where's the best place to privately report the details now?

---

## Reply 1

**Anonymous** · Mon, Jul 6, 2026 7:04 PM

If you mean the fact you can just spam announces, there's a ratelimit system but it isn't on by default.

 If you don't, contacting Mark over LXMF is probably best, and checking if he's online in the rrc hub general room and pinging him there might also work.

---

## Reply 2

**KenAKAFrosty** · Mon, Jul 6, 2026 7:08 PM

**Anonymous** wrote:
> If you mean the fact you can just spam announces, there&#039;s a ratelimit system but it isn&#039;t on by default.
> 
>  If you don&#039;t, contacting Mark over LXMF is probably best, and checking if he&#039;s online in the rrc hub general room and pinging him there might also work.

Thanks, and yeah I definitely don't mean just spamming announces, this would have to be specifically malicious in a certain way

---

## Reply 3

**Mark** · Wed, Jul 8, 2026 2:36 PM

You can send me the details over LXMF or email, and I'll have a look at it immediately.

---

## Reply 4

**KenAKAFrosty** · Thu, Jul 9, 2026 2:19 PM

**Mark** wrote:
> You can send me the details over LXMF or email, and I&#039;ll have a look at it immediately.

Thanks, Mark!! Just emailed you (a light bump in urgency since first discovery)

---
