Security Disclosure Mishandled by Bitcoin Core Maintainers

starixapp commented at 6:37 pm on July 20, 2025: none

Summary: A serious coordinated disclosure of a CI/CD vulnerability chain impacting Bitcoin Core trust infrastructure was submitted responsibly, but met with the following:

Dismissive behavior
Public mockery of the researcher
False technical claims downplaying CI/CD threat
Closure of the GitHub issue without technical evaluation

Who was involved:

@achow101 (Ava Chow) closed the issue without PoC review, discussion, or coordination.
@kanzure (Bryan Bishop) mocked the disclosure, questioned the researcher’s credibility, and injected irrelevant LLM accusations — instead of addressing technical risk.

Why this matters:

Bitcoin’s strength lies in its trust chain. CI/CD is not some optional layer — it’s the heart of review, merge, and verification processes.
Any compromise here affects:

Pre-merge testing
Contributor approval paths
Verification infrastructure
Downstream consumers: wallets, exchanges, custodians

Dismissing this is not just technically ignorant — it’s dangerous.

Timeline:

📅 July 20, 2025 – Initial disclosure sent via security@bitcoincore.org
📅 July 20, 2025 – Issue opened on GitHub
📅 Bryan intervenes, dismisses, and mocks the disclosure
📅 Ava closes the issue with “Completed” without PoC or review
📅 Still no direct technical contact or secure channel offered

Researcher Statement:

I disclosed this issue privately and professionally. I expected maturity, not mockery. This post is not for attention — it’s to protect an ecosystem that deserves better gatekeepers.

Request:

Public acknowledgment of mishandling
Re-opening of a secure coordination channel (PGP)
Engagement with maintainers who respect ethical disclosure

—
Researcher: Alex Morgan
This issue will remain public as a case study in how not to respond to critical vulnerabilities. @kanzure @achow101

achow101 commented at 6:44 pm on July 20, 2025: member

A reply to your security list email was already sent, explaining why the premise of your initial report appears to be officer but also asking for further information, which you have also replied to. We have not received any concrete details.

Do not open duplicate issues.

achow101 closed this on Jul 20, 2025

starixapp commented at 6:48 pm on July 20, 2025: none

You’re demanding technical details — in public — without offering any secure coordination, and acting like that’s the standard?

Who exactly are you in this security process?

Because unless you’re the official point of contact for responsible disclosures (with actual authority to manage vulnerabilities), I have zero reason to disclose anything sensitive through a GitHub issue, especially under your command.

Security 101: You don’t pressure researchers to publish exploit chains in public.
You create safe, encrypted, verifiable channels.
I’ve already done that — via security@bitcoincore.org, and If you can’t represent the security response team with the proper process and respect, then stop acting like the gatekeeper.

You’re not the wall protecting Bitcoin — you’re the noise distracting from real risk.

– A researcher who plays by the rules… even when the gatekeepers don’t. @achow101

sipa commented at 6:58 pm on July 20, 2025: member

No, we are absolutely not asking you to disclose anything through github.

You received a response to your email to the security list to follow the instructions on https://bitcoincore.org/en/contact/ for responsible disclosure. It has PGP keys.

starixapp commented at 7:28 pm on July 20, 2025: none

Subject: Escalation – Zero Response from Security Team

Hi,

I’ve already sent my initial report via email to security@bitcoincore.org — as instructed.
That was overhours ago. Not a single person from your team acknowledged it or treated it with any seriousness.

Instead of coordinated handling, I’m receiving public deflection, demands to encrypt before engagement, and complete disregard for the time-critical nature of this vulnerability.

If someone actually capable of understanding what’s at stake is on your team, they need to step in now. Otherwise, it’s clear that the process is broken — and that the security of Bitcoin Core is being handled like a joke.

This is not how you treat a coordinated disclosure.
And it’s definitely not how you protect a multi-billion dollar ecosystem.

I will not continue engaging with people who treat ethical researchers like an inconvenience.

– Alex Morgan
Security Researcher
founder.autoshield@gmail.com @sipa

starixapp commented at 7:38 pm on July 20, 2025: none

Final Warning – This Is Not a Game

Hi,

The level of negligence and dismissal I’ve encountered from this process is honestly unbelievable.

Let me make something very clear:

You are sitting on a live vulnerability chain capable of compromising trust in Bitcoin Core CI/CD, poisoning builds, and potentially diverting funds from real users — without detection. This isn’t a UI bug. This is a structural flaw. And you’re treating it like an inconvenience.

By continuing to downplay this, you are not just ignoring me — you are gambling with the credibility of every signature, every binary, and every user trusting your infrastructure.

One exploit. One poisoned release. And someone loses everything. It won’t just be on me for discovering it — it’ll be on you for laughing it off.

So let me say it plainly:

If someone with actual authority and technical capacity doesn’t respond, I will stop trying to protect you from yourselves.

– Alex Morgan Security Researcher @.***

On Sun, Jul 20, 2025 at 7:58 PM Pieter Wuille @.***> wrote:

sipa left a comment (bitcoin/bitcoin#33024) https://github.com/bitcoin/bitcoin/issues/33024#issuecomment-3094707151

No, we are absolutely not asking you to disclose anything through github.

You received a response to your email to the security list to follow the instructions on https://bitcoincore.org/en/contact/ for responsible disclosure. It has PGP keys.

— Reply to this email directly, view it on GitHub https://github.com/bitcoin/bitcoin/issues/33024#issuecomment-3094707151, or unsubscribe https://github.com/notifications/unsubscribe-auth/BTRPNUXAXHQTWMHTCILXRDD3JPRFXAVCNFSM6AAAAACB6FZKYGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTAOJUG4YDOMJVGE . You are receiving this because you authored the thread.Message ID: @.***>

starixapp commented at 7:44 pm on July 20, 2025: none

You’re Not Protecting Bitcoin – You’re Endangering It

Hi,

Let me be blunt:

If this level of dismissiveness continues, it won’t be the vulnerability that destroys trust in Bitcoin — it’ll be your attitude toward it.

Bitcoin Core is older than some of the responses I’ve been getting.
This isn’t just software. It’s a multi-billion dollar system that millions rely on.

And yet here we are, wasting time with gatekeeping, arrogance, and red tape.

You don’t protect Bitcoin by mocking researchers.
You protect it by listening — especially when the risk is real.

So I’ll say it clearly:

If this continues, it’s not the system’s fault for falling — it’s yours.

– Alex Morgan @sipa @achow101

starixapp commented at 7:46 pm on July 20, 2025: none

@laanwj

I’m respectfully tagging you because this has gone beyond a misunderstanding — and into a systemic failure of responsible disclosure.

What started as a coordinated attempt to report a critical CI/CD vulnerability has now turned into a thread filled with mockery, deflection, and a complete lack of technical engagement from some contributors.

Bitcoin Core deserves better than “lol encrypt first” replies and GitHub closures.
This isn’t about me — it’s about how you treat infrastructure threats that could compromise binaries, trust paths, and ultimately user funds.

Your guidance on how to proceed — or who is truly responsible for handling this properly — would be greatly appreciated.

– Alex Morgan

starixapp commented at 7:57 pm on July 20, 2025: none

Final Notice – Mishandled Disclosure with Global Financial Impact

To whom it may still concern,

This is my final attempt to engage professionally.

What I disclosed is not a bug. It is not a user-side issue.
It is a full-spectrum CI/CD trust chain vulnerability that affects the integrity of Bitcoin Core’s build process, its signed binaries, and the downstream systems that trust them — including wallets, exchanges, infrastructure providers, and even governments.

The current response from the maintainers has ranged from negligent to sarcastic.

You’re sitting on a 2.35 trillion USD ecosystem.
And your team treats critical disclosure like a spam filter test.

Some of you clearly don’t understand the difference between a theoretical flaw and an exploit chain that could lead to real financial loss, irreversible trust breakdowns, and state-level economic damage.

I gave you the chance to fix this.
Privately.
Professionally.
Ethically.

You mocked, minimized, and dismissed.

If no serious technical response is initiated — from someone with authority and an actual understanding of supply chain security — I will escalate externally. That includes affected third-party vendors, blockchain security firms, and (if necessary) full public documentation.

You don’t get to claim decentralization when you centralize arrogance and gatekeeping.

Consider this the last courtesy.
What comes next will be loud, factual, and permanent.

– Alex Morgan
Security Researcher
founder.autoshield@gmail.com

achow101 commented at 8:15 pm on July 20, 2025: member

You have been asked multiple times to send an encrypted email to the security list. No one has asked you to publicly disclose any issues.

Your repeated claims and accusations of had faith strain your credibility.

pinheadmz commented at 8:23 pm on July 20, 2025: member

Blocking this user for 7 days for misbehavior on the issue tracker. Seems like appropriate channels are open for proper security disclosure

bitcoin locked this on Jul 21, 2025

Security Disclosure Mishandled by Bitcoin Core Maintainers #33024

Who was involved:

Why this matters:

Timeline:

Researcher Statement:

Request: