← Back to team overview

mimblewimble team mailing list archive

Re: Grin's vulnerability disclosure and security process


crowd-funded eco-conscious hardware: https://www.crowdsupply.com/eoma68

On Tue, Sep 11, 2018 at 12:09 AM, Ignotus Peverell
<igno.peverell@xxxxxxxxxxxxxx> wrote:
> Hi,
> We published a first version of our vulnerability disclosure and security
> process (also copied in full below for convenience):
> https://github.com/mimblewimble/grin/blob/master/SECURITY.md
> I believe there are quite a few security researchers for whom I have a lot
> of respect on this list. Your feedback on the policy and how we can improve
> it would be extremely valuable. Thanks in advance for any help! I'm hoping
> we can set a good example and influence other projects to adopt a similar
> policy.
> - Igno
> P.S. Big thanks to Neha for her last post, it was timely and proved to be a
> very useful reference!
> ---
> # Grin's Security Process
> Grin has a [code of conduct](CODE_OF_CONDUCT.md)


ah.  i had not realised that the project has adopted one of this
extremely dangerous and toxic documents.  to illustrate extremely
graphically why they are bad, here is an absolutely and utterly
incomplete list of example "behaviours" that have "forgotten" to be
added:  it is unacceptable to murder, kill, rape, or to plan any of
these activities, with respect to any members.

 ... get the general idea?

 adopting a toxic proscribed "list of behaviours" absolutely
terrorises contributors "in case they might accidentally hit one", and
it absolutely disgusts people who would never even *remotely* consider
doing any of those things.

 worse: the people who *would* do these kinds of behaviours will do

 so the only effect that the toxic document has is: poisons and
terrorises contributors.

 therefore, i strongly, STRONGLY recommend that you REMOVE that
document as it will completely and irrevocably change the nature of
the project, and cause it ongoing harm.

if you would like to hear of a recommendation for an alternative, i am
happy to advise: you only have to ask.

however... if i do not hear from you within a week, or if you, the
developers, have no intention of replacing that extremely dangerous
document with an alternative, then i will require that you remove me
from this mailing list, and i will be recommending to the people that
i am in discussions with that this project be blacklisted from
consideration.  it's *that* serious.

if this at all shocks you, please research the recent FreeBSD adoption
of a similar toxic document, and the effect that it had on FreeBSD's
adoption and development.


Follow ups