Thank you for the detailed and transparent response, and for crediting the independent discovery in the advisory and the v4.4.1 release notes — both are appreciated.
I’d like to raise one point for your consideration. My submission was an independent, reproducible, and correct identification of a Critical issue, acknowledged as such in the advisory and release notes. You also noted that GHSA-pvmv-cwg8-v6c8 had been inadvertently omitted from the report sent to ZCG, and that you’re following up to recommend payout. In that same spirit, would ZF/ZCG be open to a partial or discretionary payout in recognition of an independent, high-quality Critical duplicate, rather than treating the classification as zero-value?
For context, the publicly visible timeline is:
- 2026-05-01 15:11 UTC: PR #10510 was merged and shipped in v4.4.0. The PR described validation of the caller-provided input index and previous-output alignment, but it did not add the v5 SIGHASH_SINGLE corresponding-output guard. As of the public v4.4.0 release, the issue I reported was still present in shipped code.
- 2026-05-03 10:22 UTC: I submitted GHSA-vwgm-g748-q95m, identifying that v4.4.0 still lacked the SIGHASH_SINGLE corresponding-output guard.
- 2026-05-04 19:01 UTC: PR #10542 was opened, then merged at 20:09 UTC and released as v4.4.1 at 20:14 UTC. This was the public PR/release path that added the missing guard.