[SECURITY] Urgent Disclosure Coordination Request

starixapp commented at 1:27 pm on July 20, 2025: none

Hello Bitcoin Core Maintainers,

I’ve discovered a high-impact, multi-stage vulnerability chain that affects the CI/CD pipeline and trust chain of Bitcoin Core. The potential financial and systemic risk, if exploited, is critical and affects build integrity, wallet safety, and release trust.

I have already sent a private disclosure request to security@bitcoincore.org but have not yet received acknowledgment.

Due to the severity of the issue, I am requesting urgent coordination via a secure channel (PGP or ProtonMail). I will not be posting any technical details here, and I am committed to responsible disclosure.

Please advise on next steps or confirm receipt so I can proceed with the secure report.

Best,

kanzure commented at 1:29 pm on July 20, 2025: contributor

Stop spamming all the different channels. Message received. No details are provided, and therefore I cannot act upon it. Stop.

starixapp commented at 1:36 pm on July 20, 2025: none

It’s disappointing to see that a critical vulnerability disclosure, made with clear ethical intent and no technical details exposed, is being dismissed as “spam”.

You’ve just publicly mocked a security researcher for not leaking sensitive data, while ignoring the fact that your security email hasn’t responded in days.

That’s not just unprofessional — it’s reckless.

I followed responsible disclosure standards to the letter:

No PoC shared publicly
No exploit details revealed
Requested only a secure communication channel

If this is how Bitcoin Core handles potential billion-dollar threats to its supply chain integrity and CI trust model — then perhaps the real vulnerability isn’t in the code, but in the attitude.

I’ll wait for a professional response. Until then, I suggest reviewing your disclosure policy — and your tone.

– A researcher who actually tried to protect your users. @kanzure

starixapp commented at 1:39 pm on July 20, 2025: none

Bryan,

Respectfully, your tone suggests authority, but to be clear: you are not listed as a security contact nor do you appear to represent Bitcoin Core’s responsible disclosure process.

If you are not in charge of CI/CD infrastructure or part of the official security response team, dismissing a potential systemic vulnerability as “spam” is not only inappropriate — it’s dangerous.

If you’d like to discuss memes or mailing lists, that’s fine. But if you’re not the person handling billion-dollar threat mitigations, I kindly ask you to step aside and let someone qualified respond.

This is a coordinated, ethical disclosure with real risk. I’ll continue waiting for a professional reply through official channels.

Thanks. @kanzure

kanzure commented at 1:49 pm on July 20, 2025: contributor

Your message is literally spam. It was sent four times to the mailing list in minutes, with slight variations testing filters I assume. It carries no pertinent information, and no patch to fix any security issues. Yes, I speak with authority because I know that anyone is able to contribute patches to GitHub. Also, if I am to believe you are truthful, then I’m also to believe you are truthful when you say that you sent to the security mailing list as well. So why would I not believe that? I’m specifically supposed to believe that you sent the patch to the security mailing list and that they incorrectly evaluated it? Is that the specific ask?

kanzure commented at 1:53 pm on July 20, 2025: contributor

I suppose the other possibility is that you do not want to use the PGP keys from the website or repository? But you specifically say you are looking for PGP keys.

starixapp commented at 2:00 pm on July 20, 2025: none

At this point, it’s clear you’re more interested in gatekeeping than in actual security.

You’re attacking a disclosure you haven’t seen, dismissing a threat you haven’t reviewed, and injecting yourself into a process you’re not responsible for — all while preaching about protocol you clearly don’t understand.

Let me be clear:

I used the correct PGP keys.
I used the official security contact.
I requested private coordination to avoid exactly this kind of circus.

And what did I get?

A self-appointed spokesman more interested in ego than ecosystem safety.

This isn’t a game. This is a high-severity, multi-stage CI/CD compromise chain with real-world financial implications — not a GitHub comments section to flex your pseudo-authority.

If you’re not part of the official security response team, kindly step aside.

This isn’t your podium — it’s your reminder that not every researcher is here to beg for validation. Some of us are here to stop the bleeding.

Enjoy your spotlight, Bryan.
Because when this gets written up, your name won’t be on the patch — it’ll be in the footnotes as the person who tried to get in the way.

– A researcher who takes security more seriously than you ever will.

starixapp commented at 2:03 pm on July 20, 2025: none

Bryan,

Let’s correct the record — again:

I sent the message twice. Not four times. Not a filter test. Just a researcher trying to do the right thing through responsible disclosure.
The rest of your assumptions are as inaccurate as they are unnecessary.

If you’re seeing every attempt to coordinate securely as spam, and every ethical move as suspicious, then perhaps you’re part of the problem — not the solution.

You’ve misrepresented facts. You’ve mocked someone avoiding public leaks. And now you’re nitpicking numbers to discredit a disclosure you haven’t even seen.

This isn’t about your ego or your guesswork.

This is about a threat you can’t quantify — because you’re too busy trying to win a thread instead of securing a network.

So here’s a challenge:
If you truly believe you understand the technical risk, then explain it.
If not? Then step back, and let the professionals handle what matters.

I didn’t come here to argue with noise. I came here to stop a billion-dollar breach before it happens.

Don’t be the reason it slips through.

– The researcher you’re lucky spoke up at all. @kanzure

kanzure commented at 2:09 pm on July 20, 2025: contributor

If you now say you used the PGP keys, then why did you originally say you didn’t find the PGP keys when you wrote your earlier messages? This is confusing and inconsistent.

None of your emails or messages have included your own pgp fingerprint or pgp key.

Using LLM to write your messages is not helping your case. It is not itself dispositive but the spam, multiple messages sent back to back with odd inconsistent edits, lack of detailed information such as PoC or patch, and inconsistent story is not helping your case at all.

Now you have brought up issues of ego or someone mocking you? Why?

You have not answered my question about why I am supposed to believe your email to the security@ was inadequate. Having no reply is not that interesting.

It’s not only x, it’s y.

See follow-up here: #33024 (comment)

starixapp commented at 2:13 pm on July 20, 2025: none

Bryan,

You’re not reading — just reacting.

Let me walk you through what you’ve missed in your rush to sound authoritative:

I did find and use the official PGP keys to send the report.
I received no response — not even an automated acknowledgment — from security@bitcoincore.org.
There was no request for my PGP fingerprint or key because no human has replied to coordinate.

You keep pushing the narrative that this is about “believability.”
This is not a personal trust issue. It’s a technical one — and one that’s being mishandled publicly because of your repeated interventions.

Accusing someone of using LLMs is your latest deflection. I could have written this with crayons — the content still matters.

If you truly represent the security team, coordinate professionally.
If you don’t, then kindly stop derailing what was a clean attempt to disclose a major vulnerability through proper channels.

Your involvement has gone from confusing… to obstructive.

– A researcher who’s tired of explaining professionalism to someone who keeps missing the point. @kanzure At this point, the only inconsistency I see is your inability to decide whether you’re a reviewer, a gatekeeper, or just someone who doesn’t like not being the smartest person in the room.

achow101 closed this on Jul 20, 2025

starixapp commented at 6:28 pm on July 20, 2025: none

Let’s get something straight — both technically and ethically.

The issue reported was a multi-stage CI/CD supply chain vulnerability, not a syntax error or user complaint.
Dismissing it without technical review is a breach of every responsible disclosure principle in open source security.
The claim that “CI/CD cannot affect release builds” is not only inaccurate — it’s dangerously naive.
CI/CD affects everything before deterministic builds:
- Code review gates
- Merge pipelines
- Pre-merge verification
- Contributor trust chain
- Third-party integrations (wallets, exchanges, etc.)
If CI was irrelevant, adversaries wouldn’t target it. Ask SolarWinds.
PGP keys were used. No response came from security@bitcoincore.org. That’s not “inconsistency” — it’s silence.
Bryan: Mocking responsible disclosure with “LLM” accusations and nitpicking email headers doesn’t make you right — it makes you part of the problem.
Your entire approach has been one of arrogance, not security. You don’t speak for the project, and you certainly don’t speak for the users at risk.
Ava: Marking a disclosure like this as “Completed” — without secure coordination, without technical assessment, and without review of the proof — is a cover-up, not a resolution.
If anything, your response will be documented as a failure of process, not an example of it.

Security isn’t a checkbox, a GitHub comment, or a title.
It’s how you handle risk before it explodes.

– A researcher who offered a chance to fix this quietly. You chose otherwise. @kanzure @achow101

bitcoin locked this on Jul 21, 2025

[SECURITY] Urgent Disclosure Coordination Request – High-Risk CI/CD Vulnerability #33022