bitcoin-dev
A Free-Relay Attack Exploiting RBF Rule #6
Original Postby David A. Harding
Posted on: March 27, 2024 17:18 UTC
Dave raises concerns about the rapid timeline from reporting a security vulnerability to making it public.
He points out that after reporting the attack privately on Thursday around 15:46 UTC, there was no response for four days, including a weekend, before the issue was made public on Monday at 13:21 UTC. Dave suggests that this is an unusually quick decision to go public, noting that it's more common to allow at least 30 days for a response to such reports. He indicates that often, additional prompts for a response might be necessary within this period. This highlights the importance of giving adequate time for triage and response to security vulnerabilities before disclosing them publicly.