Responsible disclosure in the era of cryptocurrencies
My experience disclosing a critical Bitcoin Cash vulnerability.
On April 25, 2018, I anonymously and privately disclosed a critical vulnerability in Bitcoin Cash, one of the world’s most valuable cryptocurrencies — not to be confused with Bitcoin.
A successful exploit of this vulnerability could have been so disruptive that transacting Bitcoin Cash safely would no longer be possible, completely undermining the utility (and thus the value) of the currency itself. Instead, the vulnerability was fixed without incident, and publicly disclosed on May 7, 2018.
Suppose that I privately disclosed the bug using my name — only for someone else to find it independently and exploit it anonymously the next day. Because I used my name for the disclosure, hard proof would exist that I had the knowledge and means to attack the network. I would have no way to prove that I was not the attacker. Then consider that, collectively, billions of dollars could have been lost as a result of this exploit. People have been killed for much less. So not only was anonymity important, I considered it a necessity for my safety.