Nano-node: Minor issue with code for bug bounty

Created on 28 Dec 2017  Â·  40Comments  Â·  Source: nanocurrency/nano-node

Spelling mistake on line 71 of https://github.com/clemahieu/raiblocks/blob/master/CL/cl.hpp

"decriptions" should be 'descriptions'

bug

Most helpful comment

We offer three tiers of bounties, based on the severity of the bug, vulnerability or issue, paid in either XRB or the BTC equivalent:
Minor (100 XRB bounty)

A typo counts as an issue right? My address:
xrb_31gy5piietf7zmezsxk6a4dd7i87wgwoerhi7pjcqpif9ywuqc8a3nm8qekx

All 40 comments

Thanks.

Please submit a PR

Thanks androm3da!

We offer three tiers of bounties, based on the severity of the bug, vulnerability or issue, paid in either XRB or the BTC equivalent:
Minor (100 XRB bounty)

A typo counts as an issue right? My address:
xrb_31gy5piietf7zmezsxk6a4dd7i87wgwoerhi7pjcqpif9ywuqc8a3nm8qekx

Ha, ha, I fail to see how a typo can fall under any of the classes of severity ;d

@AyiSoli Maybe in some way I can understand them, the team did not define what "Minor", "moderate" and "critical" is.
This could be as minor since it is something you don't want.

Would love to have them set up some boundaries to what minor,moderate or critical is

A very minor typo in a comment in code typically wouldn't fall under any category of bug, in my opinion

I was going by Colin's reddit post where he said:

"We offer three tiers of bounties, based on the severity of the bug, vulnerability or issue, paid in either XRB or the BTC equivalent:

Minor (100 XRB bounty)"

A typo is an 'issue' I believe. I hope they honor what they said in their announcement :)

independent observer here. I saw Colin’s reddit post also - I in no way interpreted it to mean that bounties would be paid for fixing simple spelling errors.

On Dec 28, 2017, 18:05 -0500, Jackoclypse notifications@github.com, wrote:

I was going by Colin's reddit post where he said:
"We offer three tiers of bounties, based on the severity of the bug, vulnerability or issue, paid in either XRB or the BTC equivalent:
Minor (100 XRB bounty)"
A typo is an 'issue' I believe. I hope they honor what they said in their announcement :)
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

Sorry I am autistic and take things very literally to me a spelling mistake is an issue and colin specified issues I do not understand :(

Regardless of whether a typo in a comment header is a bug or not (it _isn't_), this is amusing enough to dig into.

Here are the reasons why there should be no bounty paid on this minor issue, ranked by importance:

  1. This typo is not in RaiBlocks code, but in the included OpenCL module. The referenced comment clearly states,
/*
 * Copyright (c) 2008-2015 The Khronos Group Inc. 
 [...]
 *   \brief C++ bindings for OpenCL 1.0 (rev 48), OpenCL 1.1 (rev 33) and 
 *       OpenCL 1.2 (rev 15)    
 *   \author Benedict R. Gaster, Laurent Morichetti and Lee Howes
*/

The bug bounty offer clearly states,

If you believe you have found a bug in RaiBlocks.

This 'bug' isn't in RaiBlocks. Submitter should contact the Khronos Group for claims on their bug bounty program.

  1. The submitter did not follow correct protocol as described in the bug bounty offer:

1) Notify us that you have found a bug in the #bug_bounties channel on Discord at chat.raiblocks.net
2) The Core team will review the issue and if it is determined that the reported bug has merit, they will work with you to fix the bug and your bounty will be rewarded.

  1. The submitter has leaked the crucial details of this bug -- namely, a missing 's' in the word 'descriptions' -- prior to contacting the core dev team and resolving it. The offer clearly states,

    If the details of the bug leak ahead of the retrospective being published, whether accidentally or maliciously, the contract between RaiBlocks and the reporter is null-and-void and the bug bounty will not be rewarded.

  2. Lastly, this is a typo in a comment.

I advise @Jackoclypse to follow the protocol _very literally_ next time should he wish to claim a typo in a comment for a bug bounty.

But I followed the Discord link and they linked to here which is where I posted it?

Very well, that still leaves the most important point standing -- that this is a typo in a comment in code that isn't part of RaiBlocks. Are you parsing this list _very literally_?

But it is an issue in the RaiBlocks code which is what Colin said in his reddit post was eligible for a minor reward. I do not think it would be fair to penalize me when I submitted something which follows the official announcememt on the RaiBlocks subreddit and since the devs have changed how they want the issues reported 4 times in 24 hours. Check the #bug_bounties channel on the discord to see what I mean

But it is an issue in the RaiBlocks code

No. It is an issue in OpenCL bindings. You can plainly tell by the copyright header pixels that it isn't part of RaiBlocks code. The rest is immaterial.

Comments aren't code, that's oft the point.

Nice try, smartass.

Colin's post: https://www.reddit.com/r/RaiBlocks/comments/7makm7/announcing_the_raiblocks_bug_bounty_program/

"The RaiBlocks protocol is open-source; you can find the code here
and the white paper here."

I followed the link where Colin found 'here'

https://github.com/clemahieu/raiblocks

I found an issue, I followed the instructions at the time to report it given how it is not a security related bug.

You've continued to ignore the most important point why this does not apply. Good bait though.

But it is an issue in the RaiBlocks code
No. It is an issue in OpenCL bindings. You can plainly tell by the copyright header that it isn't part of RaiBlocks code. The rest is immaterial.

But its in https://github.com/clemahieu/raiblocks which is what Colin linked to?

And it clearly says in that file,

/*******************************************************************************
 * Copyright (c) 2008-2015 The Khronos Group Inc.
 *

It's not part of the RaiBlocks codebase, but a file included from another project and mirrored in the git repo.

What does that matter? If someone found a security bug in that code it would not matter that it was included from another project?

 * Copyright (c) 2008-2015 The Khronos Group Inc.

Just because the mistake was included from something someone else made does not make it less of a mistake?

   > be me
   > browsing leddit
   > see bug bounty post, could get 100 RaiBlocks
   > install git, clone project
   > hackerman.gif
   > C++ making my eyes water
   > get idea! run spellcheck
   > find typo
   > awyiss.png
   > post bounty issue. 100 XRB here we go!
   > some coding dweeb says it's not security related
   > another one says it's a tiny typo in a comment, it's not code
   > another coding nerd says it's not part of raiblocks
   > another geek says it's copyrighted by someone else
   > teary_pepe.jpg
   > but my 100XRB reeeeeee

no specification saying the bugs had to be security related
literally in the RaiBlocks folder that was linked to
"copyrighted by someone else" is irrelevant for example what if a massive security bug was found in a part of RaiBlocks copyrighted by someone else

Otherwise the only part of your story that is wrong is that I copy and pasted the code into word rather than installing git :P

@Jackoclypse dude, come get your xrb tip in discord

Wow. I told someone how to fix a wallet sync. That should be worth at least a million XRB by jackoclypse logic lol.

If you pay him you all are too nice.

On Dec 28, 2017, 19:09 -0500, Leo P. notifications@github.com, wrote:

@Jackoclypse dude, come get your xrb tip in discord
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

@groach I gave the guy something like 1000 raw for effort .

damnn

We don't give bounties for typos. Sorry! Thanks for the fix though

give the man his tendies

Typos in comments aren't code, and so shouldn't be eligible for bug bounties.

On the other hand the idea that "It's not part of the RaiBlocks codebase, but a file included from another project and mirrored in the git repo." means it isn't eligible for the bug bounty is quite frankly ridiculous.

If it affects Raiblocks, it should be eligible for the bounty because the goal of the bounty is to remove bugs, not assign blame for them.

Please Mr Shapiro

https://github.com/clemahieu/raiblocks/issues/302#issuecomment-355720541

Surely it is unfair to specify what you consider a bounty AFTER one has been submitted. When I found this issue nowhere in the bug bounty program was that stated.

If typos aren't bounties please clarify that in the bug bounty program, but to apply such a rule retroactively is wrong.

Don't give him anything. If you do give him a rally of other spoiled brats like me will be jealous and you'll have 500PR a day for typos. Then you won't honor the 100 xrb for all of them and it will seem unfair.

Sorry @Jackoclypse

Surely it is unfair to specify what you consider a bounty AFTER one has been submitted.

What about common sens ? Sorry, nothing personal, but let's be real, what are you gonna do ? Hack me ?

RE cedvdb

I'm asking is the terms of the bug bounty be updated to exclude typos but because technically typos do meet the current criteria stated by Colin in the official reddit post people who have already submitted them should be rewarded before the terms are updated.

1 XRB for effort :D

@Jackoclypse Your "bug" is not really a bug since it doesn't affect the execution of the program therefore you can't claim a bounty. If the typo was part of the code (not the comments) then that would be a different story.

There’s no reasoning with him.

He will tell you he’s autistic so he takes everything very literally— which somehow translates to him being owed thousands of dollars for a SPELLING MISTAKE in CODE COMMENTS....

On Jan 6, 2018, 13:29 -0500, Victor Rocha notifications@github.com, wrote:

@Jackoclypse Your "bug" is not really a bug since it doesn't affect the execution of the program therefore you can't claim a bounty. If the typo was part of the code (not the comments) then that would be a different story.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

Guys, let's stop wasting time on this please. Wow appreciate the contribution. No bounties are offered for spelling mistakes. That's the end.

See you around the community

Cheers for the 1 XRB! (marco?)

It's something at least. I'll mark the issue as closed

Was this page helpful?
0 / 5 - 0 ratings

Related issues

cryptocode picture cryptocode  Â·  13Comments

SergiySW picture SergiySW  Â·  15Comments

stefonarch picture stefonarch  Â·  30Comments

triwebb1 picture triwebb1  Â·  21Comments

cryptocode picture cryptocode  Â·  17Comments