A team of Bitcoin Core developers has introduced a “critical bug” disclosure policy to improve the communication of security vulnerabilities within Bitcoin.
In a message to the Bitcoin Development Mailing List on July 3, developer Antoine Poinsot and five others acknowledged that the project has historically failed in publicly disclosing security-critical bugs, leading users to mistakenly believe that Bitcoin Core is free of issues: “The project has historically done a poor job at publicly disclosing security-critical bugs, whether externally reported or found by contributors.”
Bitcoin Core is the software that Bitcoin node operators use to access the Bitcoin blockchain, validate transactions, and build blocks, playing a crucial role in securing the over $1.1 trillion locked in the Bitcoin network.
Today we announce the new disclosure policy the Bitcoin Core will adopt for most reported vulnerabilities.
We also publicly disclose 10 vulnerabilities affecting Bitcoin Core versions lower than 0.21.0.https://t.co/yRa4QrNXTThttps://t.co/fbRnnzHp5Q
— Antoine Poinsot (@darosior) July 3, 2024
The new policy aims to enhance communication about the risks of using outdated versions of Bitcoin Core and to standardise the disclosure process, incentivizing researchers to find and responsibly disclose vulnerabilities. Poinsot believes that making security bugs available to a wider group of contributors can help prevent future issues.
The policy categorises vulnerabilities into four levels of severity. The first stage, ‘Low’, includes bugs that are hard to exploit and have low impact, such as those requiring access to the victim’s machine.
The second one is ‘Medium’, which covers bugs with limited impact, such as a local network remote crash.
The last two categories include ‘high’ and ‘critical’, in which there are bugs having significant impact and bugs that threaten the entire network’s integrity, such as manipulating Bitcoin Core to inflate Bitcoin’s supply or committing coin theft, respectively.
Low, medium, and high severity bugs will be disclosed two weeks after a fixed version is released, while critical bugs will be disclosed on a case-by-case basis. The policy will be gradually adopted over the coming months.
Poinsot noted that all vulnerabilities fixed in Bitcoin Core versions 0.21.0 and earlier have been disclosed as of July 3, with disclosures for versions 0.22.0 and 0.23.0 to follow later this month and in August. The latest version, Bitcoin Core 27.1, has been adopted.
The new policy was praised by fellow developer Eric Voskuil:
“Many other projects have been on the receiving end of this misperception, and it has in fact caused material harm to the community. I don’t know what precipitated this change, but props to you all for stepping up.”
