 Okay, welcome everyone. I'm going to discuss Monero's vulnerability response process. So every project, every company, every one should have some sort of process in response to any vulnerabilities in their software, hardware, what not. Why? Well, because you don't want to endanger the end user and because a lot of the times it's a false positive and sometimes you just need good collaboration, you need something to create order and chaos theoretically. So this is what Monero does. Now before I came along there was nothing and there was nothing. So I went ahead and took my work from Java I2P, brought it over to Monero, we hacked on it and we essentially came up with this document loosely defined and we essentially follow it. But here you can find it at the meta repo, that's so GitHub, Monero project slash meta, it's right in the front, the root directory. It begins at the preamble, essentially saying what this VRP applies to as well as the lovely bounty we have. We do supply bounty for all these hackers and we pay exclusively in XMR, Monero. What is that, like a Disneyland or something? Something going back and forth. So code implementation is seen in Monero project, pros and tories, almost pseudo legalese, I don't think it's legally binding but it's something to keep us all on track. So this also applies to research, people keep forgetting, you know it's not always about the code, there's a lot of research and there's a lot of math and there's a lot of moving parts to this and it's all applicable to this process. And of course here's the thing that, you know, there's a lot of trust involved. We assume that people are not going to exploit this, exploit or vulnerability because we're assuming that they're nice enough to come and report it so they're not going to exploit it. So anyway we reiterate, you know, try not to do that, try not to abuse it. And here's what, like, people don't get, alright, the live sites are not in scope. So if you want to report some cross site scripting thing on the forum for the millionth time, it's not applicable. Please don't email, please don't hacker on us. Okay. Here we go, we got bounty and as I said it's, well, bounty is not eligible to people who do not follow this process and I'll talk about a couple of those people who made a poor decision. Now Covery is currently, we follow, currently does not follow this process or hacker one, which I'll talk about, no bounty available. For Covery just go to GitHub or email me or anyone, or here, on this point, some contact for security issues. So we got Rick and Louie G for Kly GUI website and for the Monero Kly GUI, I got Monero Moe here and of course there's me. And we essentially make up the response team. So it's a semi-trusted or trusted group within the community that handles these reports, these incoming things and we disperse as appropriate, we collaborate as appropriate. I don't always get credit but I do work with Monero Moe and a handful of patches that do make it in Monero but it's part of my job, whatever. And so here's the next step. So we get the message or we get the hacker one report, we essentially have incident response. They have two methods to contact us. They could use hacker one, hacker one dot com slash Monero or send us an email and there are reasons why I want to get rid of email. I'll point that out in the next tab. So here's the, I mean you can just review it yourself in your own free time, whole bunch of stuff. Establish the severity of the vulnerability assuming it is a vulnerability. That's what we collaborate on and respond accordingly. And then we have a post release process. We're pretty loose about this right now because nothing has been insane. There's nothing been incredibly, I mean well relatively speaking, nothing a CVE worthy if you will. If you believe in using CVE we haven't actually done any of that. We could. I don't know, maybe Howard has ideas on that. I don't know. Yeah, it's kind of whatever at this point. So we have a post release and of course bounty is optional. You can do all this and say no thanks, I don't want bounty. That was one excuse from one person who I'll point out in a minute. So we go down here. It's pretty rough. Here we go, bounty distribution. So here's our little, here's our math for this. You know at most you receive 10% of each category. So 10% of 60% of the total bounty amount for high severity bugs. And it tears on down to low. And it's somewhat subjective and we've had no complaints. No, there's been one complaint but I'll talk about that too. So I've got to move on too. Incident analysis, something we'd like to do more of once we start getting some actually more useful reports and not website, cross-site scripting, et cetera. More collaboration, isolating code base, auditing, which is actually auditing we're kind of, it's an ongoing thing with the MRL, the research lab. Getting the BP audits done for example. But there was nothing actually like exploitable that drove that to happen. It's just kind of a research thing. And the resolutions, essentially I just go on our Monero and post what happened and here's the summary and here's the link to Hacker 1. And continuous improvement. What can we do to improve the process? Well, you know, we need more time to work that out. So let's go to Hacker1.com slash Monero. And here's the policy. You'll go to it. You want to report something. Look, do not submit CSRF, XSS related reports. They will be closed. It's not applicable. And I can't tell you how many we get because it's a lot. I don't have the number, but it's a lot and they don't get it. They don't read. They don't pay attention. So let's check out the hack activity. Here are all the reports that were submitted. So we've got constant time comparison. It's not always implemented. Critical areas are vulnerable to key timing attacks by yours truly. Trusted damage check fails and proxy to Torsox, et cetera, et cetera. These are actually useful things. You know, these are actual bugs that can be exploited and were responsibly disclosed and patched and they received bounty and, you know, very happy customers and were happy they were responsible about it. All those out of bounds, buffer of bounds, blah, blah, blah, blah. And this is the problem. This was the first one, how many months ago? Eight months ago. Yeah, this guy wanted $100,000 of XMR or he thought he would get it for a one line patch to pre-alpha-covery code. $100,000. At the time, I mean that was when XMR was like $200. So of course that kind of triggered me and you can read the thread. It's pretty funny. But aside from that one case, we have all these, it was great. We have all these reports and you can hear, well, you know, where's the good one? Where's the Torsox one? There we go. So, you know, reporter puts a summary, description, releases affected, steps to produce, possible solutions. Hey, what's up? Hey, how's it going? Thanks. Try this. Okay, well, I'll try this. Oh, okay. And it works out. And then, you know, send us your address. We'll send you money. And then they get it. So, so far so good, right? I mean, there have been problem people, though, who do not believe in this process. We don't have sound. I was going to play some Hatchetry on the Saber dance to go with this. If you don't know that piece, I won't sing it for you. But it's fun. Okay. Where are we? Wait. Any questions so far? Any questions? Yes. Yes. Okay. So, they have to provide the, well, they have to at least report it. And it has to be verifiable as a vulnerability. They don't necessarily have to provide a patch. Personally, I want proof of concept that they can't do that. That's just me. So far, like, I think this report, I don't see a single def for anything, just some ideas on how to resolve it. And when Eromu goes in and actually provides the patch, and then we say thank you, give them the bounty. Now, this is based roughly on this amount. This is our total bounty we have available. And from that pool, we deduce the various percentages per tier, which we deem to be low, medium, or high vulnerabilities. And that is semi-defined within this process. Whereas it is... Here we go. Sorry. What is it? Well, it's in here. I promise it's in here. If you see it, yeah. Yes, if you go to the metarepo, M-E-T-A, is it another question, sorry? Yes. The response seems selected. That's a good question. Well, right now it's a static group of people. Myself, Fluffy Pony, Luigi, and Mineromu, the most trusted, most... I mean, we've been around for years. We don't screw around. We don't have time for that. Most knowledgeable, if you will. And there's been zero complaints so far. We're always open to ears and comments and criticism. So we just showed you... Okay, so that's the total amount we have available. Okay. Here's the security advisor. Here's what I told you after we do the reports. We want to get it out there. Hey, Mineromu is very active in being responsible and being honest about this happened. It happened at this time. This is development. You got to take it and move on. So here's a summary I just recently did. And it has all the links. So it's totally open. And you know that we're as active as possible. And that's on Reddit or Mineromu. And so the question... Let's see. I wanted to cherry pick some of this. Is why... So the question is why don't you just take emails? Why are you using hacker one? Isn't that, like, dangerous? I mean, what if they're working with the NSA or what have you? And that's a really good question. Has anyone, like, thought of that question? Is that across anyone's mind? Like, why are we using hacker one? Anyone? Okay. Okay, here we go. What did I say? I know. I'm having this very lovely discourse here. Yes. So essentially people, they want to go... If they have to go forth with the effort of creating an account, they'll... They hope that people won't publicly see what they're trying to scam, for example. See, if, for example, if someone emails us saying, you know, hey, I have... I found this extreme exploit. It's going to crash the network. You have 30 days to give me bounty or I'm going to destroy the world, right? They can say it. But, you know, where's the proof, first of all, but they can also release that, for example, to the media. They can say, well, Mineros has this huge exploit. And I'm just going to screw them over if they don't pay me any attention. That's a bad move and what have you. But then you have 30 days of wondering. And then you have 30 days of speculators. And that doesn't, you know how that works out. So if we were to force hacker one, they essentially act as a third party. I mean, it's intentionally we want that third party observation so they can, they can say, hey, no, this is either a real exploit, provide that proof of concept, or it's not, you're full of it. This is a scam. So that's probably one of the bigger reasons why we don't, we prefer hacker one over email. And I would say get rid of email altogether than various other reasons. So I discussed that. Now let's talk about a few of the problem people. So these are people that, well, I think I already pointed out, yeah, this one, this is the 20,000, 200,000, whatever. So that was a problem person. But here's, here's a, here's a case of irresponsible disclosure. Our lovely friend, Fireice UK, I'm sure he's watching this. So I guess his argument was, okay, so I mean, I don't really want to glorify this guy at all, but essentially you can judge for yourself. I believe his argument was he didn't want to report it responsibly because he didn't want bounty. Well that makes absolutely zero sense because you can just say no thanks on the bounty. As I did with the constant time person, I'm just like whatever, I'm paid anyways, it's too tricky, just whatever, fix it. But that was his argument supposedly. And if I'm interpreting his, his statement, and of course he cherry picks, right, he cherry picks the one bad report we had where the guy wanted 200,000, says it as, you know, that's the reason because these guys are such a-holes and they're such evil people. I'm so innocent and I'm just going to publicly disclose this and because I'm elite and you are not. So if I mean, I haven't followed the thread honestly after that. Oh, look, someone thumbs down it. Oh, GitHub. Oh, okay, we got an unhappy customer there. But this goes on, you can read the thread. It's resolved. It's, it was resolved. So in another case, and this is funny, this is what the MRL folks had to deal with, was this like a tweet. Okay, that's, that's just like very irresponsible because you don't know what can come from the tweet. You don't, first of all, you don't even know if it's applicable. Secondly, you don't know how much damage it can do, if any at all. There's no discussion. There's no, it's, it's just like this embracing of egos, essentially, how I'm interpreting it. I mean, look at me, look at me, look at this. And I'm thinking, you know, this is just, everything's going to be broken at any point. It's, it's just, this is how it is. It's not a huge deal. So let's not make it a big deal. Let's try to streamline this. So we can move on and do other things with our lives. And I believe this was resolved. I'm, the know-thers can, yes, absolutely. So they, they can clarify further if you want to talk to them. So those were just a couple of the bad cases. And you saw some of the good cases. I think, I mean, those are the links I have. Any questions? Yes? How you manage duplicates, if any of them? I mean, you use both emails and HackerOne. Why not HackerOne? Why not just HackerOne? Okay, so you repeat the first part of the question before the microphone? Yeah. Why do you, how do you deal with duplicates? Because you have like two entry points to your bug bounty program. And why you just don't use only HackerOne? That's a great question. And that's what I want to, I want to get rid of that one entry point of email. I personally haven't gotten any emails about Covery, but I don't have access to the, you know, Fluffy Pony's email and whatever emails they get, I don't know. And that's actually kind of cool because although we're a team, we're a decentralized team. So it's not 100% trust we're not like a cabal of people working together to, you know, manipulate things. I don't have access to everything. They don't have access to everything. So that's actually a convenient thing. But why don't we do that? We haven't fully discussed it yet. I would like to remove that point. Can I answer the question? Okay. Oh, I'm sorry, you have, how did, how did, how do what? Deal with duplicates. Oh. Patiently and politely. Or at this point I'm just copy and pasting, you know, read the policy and I can close, close the report because I, you know, they're not reading the policy duplicates most of the time. Oh, okay. I see what you mean. Okay. How, they're the only, actually the only instance of duplicates were with the recent one. The, not the double span. It's the, the, what's the short, the short end of it? Yes, yes, yeah. So a couple of people, but it turned out that detailed, if you look at the details, they weren't actually duplicates. So we actually rewarded each researcher on a per issue basis. Um, but we haven't found any duplicates of actually useful code. The duplicates are all like website, cross-site stuff. So, just close the report. Okay. If you want to discourage email, could you post, um, PGP case on the HACA-1 account and encourage, uh, encrypted submissions? I'm sorry, could you repeat that? Sure. Um, do you want to encourage encrypted submissions on HACA-1? If you want to get rid of the email contact, how would you, uh, encrypt, I mean, what, what kind? PGP. Just post like a PGP key on the, on the HACA-1 disclosure page. I'm sorry, I did not hear. Oh, like post a PGP key on the, oh PGP. Yeah, on the, oh within HACA-1. Yeah, yeah. Just on the disclosure page. Sure, sure. Um, that would, but that would, I mean, that would, I'm assuming you mean within the report? Yeah. If there's a concern that, um, the platforms have been compromised by intelligence and they've got access to the, uh, non-public reports? Well, that, that, and that's another thing we're actually assuming that they are compromised. We're actually, in a certain sense, hoping they are, because that gives us incentive to resolve this quickly. It also gives a certain legal binding to them, uh, if they, as a business, if they don't follow through with their code, uh, the, I mean, that, that was actually one of the threats there. But then of course the argument for that is well, they, uh, they can comply with the Alfred agency, but they don't have to disclose it. Okay, well you have all these what-ifs, so we just have to assume it's compromised and we need to use that to our advantage to prevent scammers and, and whatnot. Uh, so if we used PGP, for example, that would essentially be a, like email, in my opinion. We see the reporter could be from anywhere and wherever, encrypting something, they can't see the message. Um, does that make sense? Yeah. So that, I think that's why we don't. Okay. Okay. Any other questions? Okay, one more? Yeah, I'm, I'm curious where, where does the, I guess the pool of your bounty, uh, your bounty pool performance donation based? Yes, thank you. It is entirely donation based. We raised, like, a lot of bounty from the community. Just people who want to contribute. So they, so they give the Monero. And there's, yeah, there's no, uh, company backing, there's no agency backing that I know of. Um, it's all paid in Monero anyway. So I'm traceable. Yeah. Cool. All right. Do we have time? One more question or? Any more? One more question? Okay. One last question. Thank you. Do you actually, uh, proactively try to find exploitation attempts for vulnerabilities at the boards and disclosed? Uh, on what? I'm sorry? That vulnerabilities, if you have a, do you have a pro, a proactive approach to discover, um, non-disclosed vulnerabilities that are actively exploited? Oh, okay. Um, me personally, I mean, I mean, that's kind of part of development. I mean, I'm not sure if I'm, I'm not sure if I'm understanding the question. We, we're always trying to find these, oh, you mean like, uh, heuristics and analysis and network monitoring? Yeah, and yeah. Oh, well that, uh, not within this process, not yet. I mean, that's something to think about. But that kind of goes into the realm of development research. And this is more of just streamlining of something really simple and reporting essentially. Okay. Thank you all very much. All right, let's give, whoa, this is pretty loud. Let's give anonymous a hand. Thanks so much for coming up here. Um, and if you have any more questions for him, he should be hanging out back at that table and he can be talking about recovery and also this vulnerability response process.