Several months ago, I had a private conversation with a team member of the DFINITY Foundation regarding a specific network attack that I thought (still think) the Internet Computer is vulnerable to / wasn’t getting enough attention.
In light of the fierce debate around several aspects of the ICP that have come up in recent days, I am considering posting my half of the conversation to just get it out in the open for the community to brainstorm possible defenses.
I would, of course, only post my half of the discussion to maintain the privacy of the team member I spoke with and paraphrase the conclusion of what I was told.
However, because this is about a very specific network attack and provides a template for various other attacks, I am asking the experienced community members here / team members that read this forum if I should put this out in the public domain (or not).
This is an attack vector that the DFINITY Foundation is aware of, and that’s all I’ll say for the moment.
Looking for input from both Foundation members and people like @lastmjs @skilesare @jzxchiang etc.
In light of all the other issues that are going on, I’d suggest keeping it close to the vest. Perhaps some private conversations are warranted. We can do our best to put pressure on the network engineers to elevate the priority. I know a new replica version was just submitted to the NNS. Perhaps your concern is mitigated in there? If not the let’s have some private discussions about it before we blast it publically. If DFINITY gets some pressure from multiple angles and still doesn’t address it then we have that option, but hopefully, we can get it addressed without a public reveal, and then we can do a post-mortem on it.
2 Likes
I am not sure if you formally informed Dfinity, or if it was a just conversation with a team member. Formally disclosing it to DFINITY per their disclosure policy and receiving an acknowledgement of receipt is important as it is a component of holding them accountable if things go off the rails.
In the interim, if it were me, I would:
- keep the vulnerability confidential and not to disclose the vulnerability to anyone else
- send a message to Dfinity through their Security Vulnerability Program website with one’s expectation regarding a response.
If I felt that it had not received appropriate attention, I would contact their lead of security directly to alert them that a vulnerability has been reported and not actioned to your satisfaction. Unfortunately, Dfinity has not indicated who is the executive responsible for security. In this situation, I would inform Jan Camenisch (CTO) , Josh Drake (COO) and Paul Meeusen (VP Finance) - they likely have accountability for corporate risk management.
If there is no response, I would then share the non-action with well placed individuals who can influence the DFINITY team. I did not see a senior legal counsel listed – odd – I guess vacant.
Full Disclosure is the option of last resort and not recommended. Spending effort on informing persons is far better than invoking such a drastic option. Doing so will communicate the attack vector that could be exploited exposing the community to misery.
The Dfinity Vulnerability Policy should be supported by strong cryptographic intake processes that protects the information from being disclosed. A public email address and a public web site does not give me a great deal of confidence in the rigour of the disclosure program.
A quick review of their Vulnerability Disclosure Policy makes me think it should be augmented to provides vulnerability information that has been reported and addressed. Vulnerability information that has been reported should be assigned a CVE number by Dfinity for follow up by the submitter. Dfinity should provide an indication of timelines to the person who communicated the vulnerability for initial response and time to resolution.
Good luck.
2 Likes
I was told they know about it and were actively working on it, and I believe them.
After reading just the first two responses (yours included), I definitely won’t disclose it or even make any comment about it that could prevent any hint about it’s characteristics.
Thank you for the list of employees to contact, I’m a bit spent in terms of the time I have to devote to pursuing further notification and back and forths on it and so on, but if you want to take the baton on it, I can share with you via PM.
1 Like
For the record, by the way, I do not believe in any way that there has been non-action around it or anything of the sort.
So, it sounds like Dfinity is taking the required action. If you have formally conveyed the vulnerability through a mechanism outlined in the disclosure policy you may be entitled to a reward. Also, once the vulnerability is corrected or patched and no longer a threat, some organizations will give credit to the vulnerability researcher if the researcher wishes to be identified so one can add it to their list of accomplishments.
A good vulnerability disclosure program will respond and layout timelines when you will hear from them next without making you have to chase them.
E.g. We acknowlege receipt and have assigned it a CVE-99999 identifier. Resolution is expected in Q1/2022. Update to the CVE register will be published on 14 Jan 2022. We will contact you on _________ to inform you of our press release annoucing the resolution of the vulnerability. At that time we will ask if you wish to be publically acknowledged for your contribution. We appreciate you keeping this matter confidential…
If these dates slip, that is when you can choose to escalate or wait.
By following this process, it allows them to focus on fixing the problem and not simultaneously trying to fix it while under attack. If the vulnerability is dangerous, and there is evidence of foot dragging, escalation is the next step but not public disclosure.
3 Likes