We’ve always maintained the idea that the community owns the blockchain codebase, and to that end, we’re always looking for ways to balance the ease of community contribution to the Chia codebase while keeping it secure. One of the tools we often use is the bug bounty program. We challenge folks to gain access to our systems, break our tools, and generally mess with our operations in order to find areas where we can improve.
Monday morning, a bug bounty hunter, Adnan Khan, submitted a bug report which outlined a successful attempt to compromise us. He was able to leverage a GitHub configuration setting to compromise the self-hosted runners.
Fortunately, this is standard operating procedure for our security team. There is no risk to users, but we will be proceeding as if this was a malicious attack to ensure we’re hardened against this in the future. We’ll be rebuilding the hosts and getting them back into operation, all certificates and secrets are being rotated, and we’ll be using the information provided to us from this report to perform a “Red Team” follow up action to retest our assumptions about how effectively we have prepared ourselves and our tools versus this attack profile.
What does this mean for you?
As an end user, nothing! We’ll have new builds from Chia’s continuous integration (CI), and any build from our CI should be viewed with a skeptical eye from a signed installer perspective until new signature certificates have been rotated in. The only pending signature cert rotation is Windows. The macOS and Linux installers have been re-secured at the time of this writing.
Other than that, we’re always looking for folks to continue testing our security measures and processes and if you find any exposed vulnerabilities, you can raise them through our bug bounty program.
If you’d like more detail, give our GitHub post-mortem a read here.