[Vulnerability Coordination] Bitcoin Core Supply-Chain / CI-CD Integrity Issue – VU#237485 #33763

issue starixapp openend this issue on November 2, 2025
  1. starixapp commented at 9:56 am on November 2, 2025: none

    Is there an existing issue for this?

    • I have searched the existing issues

    Current behaviour

    Hello,

    I’m Alex Morgan from Sentinel Core. I have reported a supply-chain/CI-CD integrity issue that affects distributed Bitcoin Core binaries and requires technical coordination.

    For context: KuCoin has indicated this falls within Bitcoin Core’s scope, and CERT/CC has opened a coordination case (VU#237485).

    Please confirm receipt and provide a secure intake channel (PGP key/fingerprint, ProtonMail, or secure upload endpoint) or a technical contact for coordination. I will not share any runnable PoC publicly — only a sanitized teaser via the confirmed secure channel.

    Thanks,
    Alex Morgan
    Sentinel Core
    founder.autoshield@gmail.com

    Expected behaviour

    The expected behavior is that all build and deployment artifacts within the Bitcoin Core CI/CD pipeline are verified against their original signed source, with no possibility for unsigned or tampered artifacts to pass integrity checks or be distributed.

    In other words, any modification or injection attempt within the build or distribution process should be immediately detected and rejected before signing or release.

    Steps to reproduce

    Hello,

    Brief, non-actionable summary to help triage teams decide on next steps:

    • Scope: A supply-chain / CI-CD integrity symptom observed affecting distributed Bitcoin Core artifacts (artifact checksum mismatch vs. reproducible build).
    • Expected: Distributed artifacts should match the locally-reproducible signed build.
    • Observed: The distributed artifact hash differed from the reproducible build hash while signing metadata appeared present (indicates an integrity discrepancy in an intermediate pipeline stage).

    To keep this short: I can provide a small, sanitized proof package (redacted log excerpt + SHA256 ownership hash) once you confirm a secure intake channel (PGP fingerprint, ProtonMail, or secure upload endpoint).

    Please confirm a secure contact (PGP or endpoint) and a technical point-of-contact. A simple acknowledgement within ** hours** would be appreciated.

    Regards,
    Alex Morgan
    Sentinel Core
    founder.autoshield@gmail.com

    Relevant log output

    No response

    How did you obtain Bitcoin Core

    Compiled from source

    What version of Bitcoin Core are you using?

    v27.0.0 (64-bit, official build)

    Operating system and version

    Ubuntu 22.04 LTS (x86_64)

    Machine specifications

    No response

  2. starixapp commented at 9:58 am on November 2, 2025: none
    Requesting coordination: CERT/CC has opened case VU#237485 and KuCoin’s security team has indicated this falls within Bitcoin Core’s scope. Please confirm a secure intake channel (PGP fingerprint or secure upload endpoint) and a technical contact so we can provide a sanitized teaser for triage.
  3. fanquake commented at 10:28 am on November 2, 2025: member

    and provide a secure intake channel (PGP key/fingerprint

    See https://bitcoincore.org/en/contact/. You can send an email to security@bitcoincore.org using one of the keys listed there.

  4. fanquake closed this on Nov 2, 2025


starixapp fanquake

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2025-11-02 18:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me