December 24, 2012, 04:24:20 AM
Weekly Update #18
We have disclosed a stake generation vulnerability this week. A researcher made the disclosure announcement two days ago so I had to issue a disclosure statement on the same day. I would like to talk a bit about the controversial topic of responsible disclosure. Why is responsible disclosure important? Because the computer software industry has already tried everything and learned the hard lessons, so an etiquette of responsible disclosure has been adopted widely. Responsible disclosure does not mean cover-up. It means the researchers and developers work together and negotiate a disclosure schedule, allowing reasonable time for developers to implement fix and for users to patch their systems. The management of bitcoin merkle hash vulnerability has been a prime example of responsible disclosure. We try to hold ourselves to high technical and ethical standard since the beginning of ppcoin network, and we would appreciate independent researchers from the community do the same.
The impact of the vulnerability is described in https://bitcointalk.org/index.php?topic=131940.0
The centrally broadcasted checkpoint is designed to help in this type of situations. So with the checkpoint protection the impact of the vulnerability is reasonably limited.
The vulnerability has been known to us for a while and I have spent quite some time to formulate an improved hash protocol. Proper review and implementation of the new protocol would take some time, and that's why I stress the importance of responsible disclosure as not all vulnerabilities can be fixed and patched in a day or two.
The schedule of implementing the new protocol is tentatively planned as following: week 1~2: implementation and review; week 3 - testing on testnet; week 4 - final testing, build and release; week 8 - client upgrade deadline and protocol switch. Yes the protocol change would be a hard fork and all clients are required to upgrade within 3-4 weeks after the release.
Merry Christmas to all!