pdaian

Intro

This is a case study of ethical security disclosure practices in cryptocurrency. We analyze how security experts reacted in disclosing a serious vulnerability in miner hardware to the public, and identify problems with the reaction of several particular experts that we believe violate ethical disclosure norms. It is my hope that by discussing what went wrong in the past, the Bitcoin community can grow into a more secure and robust space that respects appropriate professional ethics in interactions with the public.

The incident below occurred on 26 April 2017, when a vulnerability in Bitcoin miner hardware, Antbleed, was discovered. Soon after discovery, some security professionals opportunistically used this vulnerability to advance false and damaging statements about the nature of the attack to the general public, in a manner that was disseminated widely beyond their control. We describe the facts and consequences of the incident below.

The Facts

domenic

This article has been given a more permanent home on my blog. Also, since it was first written, the development of the Promises/A+ specification has made the original emphasis on Promises/A seem somewhat outdated.

You're Missing the Point of Promises

Promises are a software abstraction that makes working with asynchronous operations much more pleasant. In the most basic definition, your code will move from continuation-passing style:

getTweetsFor("domenic", function (err, results) {
 // the rest of your code goes here.