A group of Bitcoin Core developers has launched a “critical bug” disclosure policy aimed at more effectively communicating Bitcoin security vulnerabilities.
Addressing Past Issues and Enhancing Transparency
“The project has historically done a poor job at publicly disclosing security-critical bugs, whether externally reported or found by contributors” Bitcoin Core developer Antoine Poinsot and five others wrote to members of the Bitcoin Development Mailing List on July 3. This has led to a situation where Bitcoin users are led to believe that Bitcoin Core is free of bugs, but Poinsot stressed that this simply isn’t the case. “This perception is dangerous and, unfortunately, not accurate.”
This Might Interest You: Pre-ETF Ether Options Trend Mirrors BTC Except for One Key Difference
Bitcoin Core is the software that Bitcoin node operators download to access the Bitcoin blockchain, validate transactions, and build blocks. It plays a crucial role in securing more than $1.1 trillion locked in the Bitcoin network. Poinsot said the new policy would allow better communication about the risk of running outdated versions of Bitcoin Core and would provide a standardized disclosure process that would give researchers more incentive to find and responsibly disclose vulnerabilities. “Making the security bugs available to the wider group of contributors can help prevent future ones.”
Categorizing Vulnerabilities and Disclosure Timeline
The new disclosure policy will categorize vulnerabilities based on four levels of severity. The categories include:
- Low: Bugs that are hard to exploit and have low impact, such as a wallet bug that requires access to the victim’s machine.
- Medium: Bugs with limited impact, such as local network remote crashes.
- High: Bugs that could have significant impact.
- Critical: Bugs that threaten the entire network’s integrity, such as manipulating Bitcoin Core to inflate Bitcoin’s hard-capped supply or committing a “coin theft.”
Low, medium, and high bugs will aim to be disclosed two weeks after a fixed version is released, while disclosures for critical bugs will be determined on a case-by-case basis. The policy will be “gradually adopted” in the coming months, Poinsot added.
Poinsot noted that all vulnerabilities fixed in Bitcoin Core versions 0.21.0 and earlier have been disclosed as of July 3, and disclosures for versions 0.22.0 and 0.23.0 will come out later this month and in August. Bitcoin Core version 27.1 is the latest version adopted.
The new policy received praise from fellow Bitcoin Core developer Eric Voskuil: “Many other projects have been on the receiving end of this misperception, and it has in fact caused material harm to the community. I don’t know what precipitated this change, but props to you all for stepping up.”
Click here to get the latest news from Coin Engineer!