Bitmain Releases Bugfix, But Sidesteps Open Source Issue

Bitmain, which manufactures the popular Antminer series of mining rigs, has released a new firmware update that patches a critical vulnerability. But not everyone is happy: One crypto developer claims that another bug exists, and he is leveraging Bitmain’s licensing practices as a negotiation tactic.

No Source Code, No Disclosure

James Hilliard, who discovered the unpatched bug, is refusing to disclose the additional vulnerability until Bitmain complies with the GPL software license. Bitmain’s firmware is currently closed source, but since it is built on GPL-licensed open source software, Bitmain is technically required to open source its firmware as well.

Bitmain, for its part, has acknowledged that the open source community discovered a vulnerability in its firmware, but the update doesn’t indicate that Bitmain has any immediate plans to make its firmware open source. Bitmain does, however, throw the community a bone: It claims that it has created a “special team” to pursue compliance with open source code.

It is not clear what Bitmain will do next, though Hilliard notes that the company has released its source code in the past. Regardless, there is a simple reason that releasing source code might matter: Public access to the code would allow the community to fix vulnerabilities without relying on Bitmain—and Hilliard believes that there are many more bugs to be found.

A Controversial Tactic

Even within the crypto community, Hilliard’s strategy has been received with mixed reactions. Although Hilliard has not yet published the code used to exploit the bug, he has shown that it can be used by attackers to reprogram an Antminer mining rig entirely. This has given the community some idea of what the bug involves.

However, many believe that the vulnerability can’t actually be exploited in practice, that it depends on a deliberately insecure setup, or that it doesn’t exist in the way that Hilliard is suggesting. Others are even accusing Hilliard of extorting Bitmain with his demands—though some community members are on Hilliard’s side, of course.

The Bigger Picture

Disclosure is a heated topic. A recent bug discovered in the Coinomi wallet involved a similar controversy. Although most people believe that companies should be privately informed of vulnerabilities, some people decide to reveal bugs publicly. Since no company is universally trusted, it is unsurprising that some are unable to force disgruntled users to follow their preferred procedures.

In any case, Bitmain will probably be able to withstand this controversy. Despite the fact that the company is gradually losing its past dominance over the mining market, Bitmain seems to be staying afloat, at least for now. Even though titans rise and fall, it appears unlikely that this controversy will do any significant damage to Bitmain, at least in the short term.

The post Bitmain Releases Bugfix, But Sidesteps Open Source Issue appeared first on UNHASHED.