This development update is set up to share with you what exactly is going on behind the scenes. Yesterday, a user from the Monero research lab decided to apply for a bug bounty by publicly claiming to have found a leak in Shadows ring signature scheme through github (see: link). We would like you -our dedicated users- to know that, after 10+ hours of testing by Shadow’s core developers, our team has not yet managed to deanonymize any private transaction. We will of course keep looking into the claim and come up with a detailed report as soon as possible. Furthermore, we would like to ask everybody to never report security vulnerabilities publicly. Today showed us that public security reports can cause panic and FUD (fear, uncertainty and doubt) among our users, while in fact, the issue at hand might be easily solved by our team members or not be an issue at all. By reporting them privately and directly to our team, we can investigate or fix the reported issue before sharing it in public.
The details for responsible disclosure of security issues can be found in our bug and bounty program. Anyone that wants to claim a bounty should contact our development team privately by sending an e-mail to firstname.lastname@example.org with the details of the issue. Do not post the issue on github or anywhere else until the issue has been tested or resolved. As much as we appreciate anyone helping us fix or improve Shadow’s code, we can not pay out any bug bounty’s if they are shared publicly before discussed with any of our team members.
Back to the fun stuff...
For the past two months, we have had a great time working on our beloved project. Our team has been working on getting everything ready for ShadowMarket’s v1 release, ShadowCore update with improved GUI and started publicly testing PoS v3 yesterday. With everything that has been going on we felt like now would be a good time to send out a detailed update to show you what exactly it is we have been working on and you can expect from our team over the coming weeks.
- ShadowCore update
- ShadowMarket alpha testing
- Multilingual support
- Proof-of-Stake 3.0
- Check lock time verify (BIP65)
The Shadow Team