Assert Proposal 104 #2767
Assert Proposal 104 #2767
Conversation
faddat
requested review from
alexanderbez,
zmanian,
crodriguezvega,
jackzampolin and
a team
as code owners
|
Hey I just want to let you know that if this does not end up getting merged, I'll take additional steps via governance that ensures that this is no longer the hub official repository, because governance is supposed to drive the hub, not ICFormulet. |
|
Bluntly as a security researcher I think this kind of abusive, bullying behavior will discourage people from disclosing vulnerabilities. It's unkind to maintainers and a misuse of the PR system. faddat seems like someone influential who could make peoples lives difficult (and pretty well-resourced based on the contents of the referenced proposal). So I think I would just avoid any involvement in all of (gestures) this. it's gotten out of hand |
|
Hi, no worries I'm going to show you abusive. But please keep in mind I'm not the one being abusive here's Ethan Buchman -- who is much more influential than myself, and much more well-resourced. arranged in time sequence Here are some Bucky Quotes (note: he made it up and I will release every email when things are safe) "Even if there is a real attack, it is not easy to discern given his approach" (they were in possession of video of it since before this comment) "They don't dive into your slack, you come to theirs, if and when you're invited" (referring to amulet) "You're compromising the core security program that serves all chains" (this is the same security program that did not fix the ICA issue on the hub (I reported) and the same security program that did not fix banana king (reported at hacker one by felix and reported direclty to teams by myself) "The reports that have been submitted are incomprehensible and laden with threatening language" "Its like we have to deal with a hysterical child every few months. Are we trying to run a serious and professional organization or is this kindergarten?" (I've clearly found what I claim to have found) "At least one of the thirty emails he sent seems to have some threatening language" "I don't think I meant to make some serious allegation" (it'd be a felony to make threats pursuant to something like this, @ebuchman accused me of a felony and I take that seriously) To ensure that there's no misunderstanding, I continue to request that @ebuchman please post any threatening language he feels I've used here. Thing is he later recanted all claim that there was threatening language and I just want some safety in the sense of not having felony accusations lobbed at me by members of an organization that includes threats in its security policy. I've also been encouraged by a friend and mentor, @zmanian to fully ignore the machinations of the foundation and proceed, so that's what I'm going to do. I'm also going to leave this PR open, because I feel that informal is in flagrant violation of the hub's governance, and that they are enhancing danger in cosmos by not working directly with security reporters, and I'm referring to more than myself. Please know @jessica0f0116 -- that I am not nearly as well resourced as the Informal or the Interchain foundation. I'm now going to work entirely on fixes, I've spoken my bit ad nauseam. |
|
Closing in favor of #2820 |
Description
It is our determination that the current security policy document on this repository represents a risk to the cosmos hub due to the release of information that can lead to chain halts, eg: "affect consensus participation" by informal systems and amulet, without review of documentation submitted by researchers at notional.
During the process of reporting a complex security issue, both informal systems and amulet have been entirely non-responsive. In total, notional has received three emails pursuant to this issue from amulet.
Because this issue extended over multiple layers of the cosmos stack, we initially chose to involve amulet because their job description with the foundation is security coordination. Unfortunately, that has not been occurring.
It is our opinion that individuals or organizations with security matters to report, who wish to be able to review any findings before publication, likely would not want to work with amulet and informal, due to the fact that amulet published our findings against our express wishes.
Rejection of this pull request would be in clear violation of cosmos hub governance, which has chosen notional to handle security operations for the cosmos hub.
Illustration
Most cosmos chains would have this reaction to the exploitation of the issue that was published by ICFormulet as low severity, so we're going to need to remove ICFormulet from the security flow for the hub, for the hub's sake. And for the rest of cosmos.
Author Checklist
All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.
I have...
docs:prefix in the PR titleReviewers Checklist
All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.
I have...
docs:prefix in the PR title