Thread

Ego — it’s all about their little egos. Thank you for sharing this; you are a hero!

Who gave him a grant? Thanks for making your disclosure responsibly.

That's the difference between a principled person (you) and a dickhead

Calle mentions a bounty here: https://njump.me/nevent1qqsgxnm8s2y6fr9p0ccqeg45n9cm54c3mcg89fkvef7jttxy0x7zddcpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsygzsm98u9kzcp35zkpc62shck8335gqtq5yt4w26xwl0pp2a72qavvpsgqqqqqqsm0uy6y

You're right. Bounty is the correct word. I didn't know the difference until now.

Crypto is basically a clash between 150 IQ programmers who've never developed social skills, and 92 IQ poor people who get hostile whenever their coin goes down 10% because they have no savings, and their net worth is -$30,000 & someone told them Bitcoin would make them rich.

He hates that Cashu even exists. Paul Sztorc also wrote a big tweet approving of Floppy's threats and condemning cashu development as unethical. Sketchy stuff. Adults can choose to tradeoff custody risks for great privacy and convenience. Doubly ironic in the case of Sztorc, who wants to give miners effective custody over drivechain funds.

the epitome of cringe. imagine fightning a little nut just because nobody takes your fork seriously.

A one year disclosure in this space is unacceptable imho… Issue with stuff like this needs to be addressed and fixed asap and not shelved for a year… Immediate disclosure was the right thing to do imho…

Thank you for your responsible disclosure. It was a pleasure working with you and collaborating to find the best way to fix. We learned a lot during that process. It wasn't the only interaction we had with security researchers since then. So far, every one of them knew how to handle these cases professionally. In every case, the person was collaborative and interested in helping the ecosystem as opposed to creating drama. Everyone except floppy. I'll let the psychologists do the psychoanalysis. Appreciate you and your work 🫡

We paid him a small bounty hoping it would show that it would show we're on his side. In hindsight, we shouldn't have done it. It turns out, ultimately, he's more interested in creating damage and drama than anything else.

Small pond, easy score

nostr:nevent1qqsgxnm8s2y6fr9p0ccqeg45n9cm54c3mcg89fkvef7jttxy0x7zddcpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsygzsm98u9kzcp35zkpc62shck8335gqtq5yt4w26xwl0pp2a72qavvpsgqqqqqqsm0uy6y

bad take and fundentally incorrect assesment and fixing take time, rollouts even longer, if the bug is protocol level all clients and mints would need to patch before disclosure. Sure the 'fix' in this process may be immediate but the rollout and post-patch assessment is very important and takes time. immediate disclosure benfits only skriptkiddies and malicious actors. These aren't new ideas, we stand on the shoulders of cybersecurity wizards and years of research on how to best innoculate a in-production coding project from bugs and potential exploits.

I totally disagree. Cashu/ecash is beta software for the most part… Disclosures should happen immediately…

Hi psycho Why did you share this publicly instead of reporting privately? nostr:nevent1qqsqqqzgvgp66qxznw3mqvw9xsl9c9j6t8warcgvh283n67mlzuucdspz9mhxue69uhkummnw3ezuamfdejj7q3qnccwjspr3nv7h67xx2qhdh2dzzvpyy55gte2dsu8yl7xd7n74y9qxpqqqqqqze4zsj9

Because the project was not being used yet.

fair enough, we sit on different sides of the fence on this one kidwarp (hug)

The software is beta but the money is not, it is real money.