The nature of open-source distributed systems leaves some vulnerabilities open to exploitation, but should bugs be exploited publicly or disclosed in private?
The below is a direct excerpt of Marty’s Bent
Something to note about this OP_SUCCESSx transaction is that it typically wouldn’t be included in a block. However, it seems that Burak bribed miners by attaching a particularly high fee to this transaction that F2Pool couldn’t resist.
This situation has surfaced a lot of debate over the last two days. Was Burak wrong to exploit this bug in the wild on mainnet? Should he have properly disclosed the vulnerability to btcd and LND in private, allowing them to patch the code before the bug was exploited in the wild? Should LND be dependent on btcd, which is an alternative implementation of Bitcoin that doesn’t get nearly as close to the amount of attention and review that Bitcoin Core receives?
Your Uncle Marty certainly doesn’t have the right answers to all of these questions, but it’s important for you freaks to be aware of this stuff so I thought I’d bring them to your attention.
This is the nature of open source distributed systems. There could be a lot of vulnerabilities lurking out there and there is no clear way to handle the problems. Many will advocate for responsible disclosures in private while others will advocate for overt adversarial actions that force the issue. This is one of the trade-offs you choose when you decide to opt into a free market monetary network.