Update VRP point of contacts

[SyntheticBird45]

will squash once approved

Luigi don't respond to emails
and the pgp key have already caused numerous confusions:

#164 (comment)
https://hackerone.com/reports/2677306#activity-29266850
https://libera.monerologs.net/monero-dev/20241222#c478888

[plowsof]

Luigi forwards emails of people who have issues registering on the ccs repo so the email is actively read, he's a member of core and is intimately involved with the VRP.

If the email / rsa2048 is the issue please convince him its critical. Is RSA 2048 deprecated now or in 2030 due to quantum computing? (Ive only scanned a hacker one post about it) if so, what encryption should be used? The new key would then have appropriate encryption/email.

[SyntheticBird45]

Luigi forwards emails of people who have issues registering on the ccs repo so the email is actively read, he's a member of core and is intimately involved with the VRP.

Thanks for confirming this is actively read. I assume an entire day passing without any response to be of concerns when the rsa key is "outdated in today's standard". And I have no doubt he is involved since he is the one paying out the bounty, tho he could also just be busy with other things.

If the email / rsa2048 is the issue please convince him its critical. Is RSA 2048 deprecated now or in 2030 due to quantum computing? (Ive only scanned a hacker one post about it) if so, what encryption should be used? The new key would then have appropriate encryption/email.

Imo the key issue is not a matter of cryptography tho i would welcome any more qbit work needed. Monero is a privacy cryptocurrency which have to put an accent on security. This can be seen with numerous audits and the talented devs. I, and I think others, would expect the VRP to be coherent with the general project standards, and having an up to date key is the bare minimum for any project.
The size key, the creation date and the mismatch between a gmail account and a getmonero.org one just indicate this isn't taken seriously at all. It's a matter of credibility.
So no it's not critical and will never be, but it's embarrassing for the project in the long-term.

I know its boring, but please @luigi1111 regenerate an RSA-4096 PGP keypair, with a 4 years lifetime, against [email protected] (and your gmail as another uid if you need it for forward i suppose).
This can only be beneficial.

[selsta]

There are more people that have access to the HackerOne, so how exactly is security reponse team defined?

[SyntheticBird45]

I would assume anyone who have access to the report without being invited.

[selsta]

In this case I would keep luigi. serhack also has access, though I'm not sure how active he is currently.

[SyntheticBird45]

ngl I never heard of serhack, I'll just keep luigi

[NorrinRadd]

Only seen them on Reddit before

[nahuhh]

Everyone's heard of serhack 😅

among other things, is the author of Mastering Monero

[SyntheticBird45]

Everyone's heard of serhack 😅

among other things, is the author of Mastering Monero

ah alright lol. i guess he can be listed

[SyntheticBird45]

Breaking News

Yet another person got confused over the PGP keys

https://libera.monerologs.net/monero-dev/20250427#c521439

[luigi1111]

A couple points:

My involvement with VRP has historically mostly been paying out bounties for valid reports. I don't particularly want to be a primary point of contact for vulnerability reports outside of Hackerone. I'm interested to learn of/participate in critical, particularly consensus-breaking bugs, but not much else.

getmonero email is a spam fest, almost unusable. I don't monitor the inbox very closely and don't run the server.

Lastly, I agree I need to update gpg keys, but prefer to do against gmail and curve25519 for Github signing rather than vulnerability reports, though it could be used for that.

[SyntheticBird45]

A couple points:

My involvement with VRP has historically mostly been paying out bounties for valid reports. I don't particularly want to be a primary point of contact for vulnerability reports outside of Hackerone. I'm interested to learn of/participate in critical, particularly consensus-breaking bugs, but not much else.

That's understandable,
I asked about VRP point of contacts in december when a vuln researcher asked for the keys, and there was at my understanding basically no one that wanted to be one.

• selsta would prefer to stick at H1 without necessarily being a point of contact
• moneromooo is ok with being delisted tho would be also ok being marked as a backup with delays
• I asked if @jeffro256 would be willing to be an email one and showed a positive response but I think he got (fairly enough) busy and didn't had the time to either setup the mail or maybe he revised his opinion.

If you don't particularly wish to be a primary point of contact then there should be a discussion about who could and would be willing to do it.
Spoiler: I'm all for volunteering at being a point of contact. But I'm afraid I don't quite have the trust needed yet.

getmonero email is a spam fest, almost unusable. I don't monitor the inbox very closely and don't run the server.

Lastly, I agree I need to update gpg keys, but prefer to do against gmail and curve25519 for Github signing rather than vulnerability reports, thought it could be used for

Fair enough

[luigi1111]

jeffro would be a reasonable candidate if willing. Could possibly make it part of CCS to "ensure" someone has incentive to monitor for any reports?

A couple other long term devs come to mind as well, but I don't know if they have any interest.

[SyntheticBird45]

jeffro would be a reasonable candidate if willing. Could possibly make it part of CCS to "ensure" someone has incentive to monitor for any reports?

A couple other long term devs come to mind as well, but I don't know if they have any interest.

Mind listing the devs in question? might as well directly ask them in #monero-dev. This could spark a discussion.

[luigi1111]

I thought of vtnerd, but in theory the other devs that are on 5+ repeat hourly CCSes would be candidates. Not sure how many that is.

[SyntheticBird45]

I thought of vtnerd, but in theory the other devs that are on 5+ repeat hourly CCSes would be candidates. Not sure how many that is.

I somehow forgot about vtnerd even tho he is handling 80% of the vuln reports lmao

[selsta]

The workload for the point of contact should be low, from what I can tell almost all reports happen over HackerOne.

[plowsof]

Devs with >5 CCS' (num)

• j-berman 16
• jeffro 14
• tobtoht 12
• vtnerd 9
• hinto 8
• boog900 6

[j-berman]

I'm willing to include being a point of contact as part of my next CCS

[hinto-janai]

I vote for @j-berman. If they are willing, I think also assigning @Boog900 would widen the coverage.

[SyntheticBird45]

this so much true. @Boog900 should rule the world

[vtnerd]

I was mentioned above - I can go on the VRP list if useful. I assume this means I would finally need to complete my GPG setup?

[SyntheticBird45]

@j-berman @vtnerd please confirm (at your pace) with the PGP key to be included and ways of communicating so that I make an edit to the document.

[PyXMR2025]

sorry,inore my approval,thank you!