A group of Bitcoin Core developers launched a critical bug disclosure policy aimed at more effectively communicating Bitcoin security vulnerabilities. Bitcoin Core is the software that Bitcoin node operators download to access the Bitcoin blockchain network, validate transactions, and create blocks. It plays a crucial role in securing over $1.1 trillion locked in the Bitcoin network.
What Is Happening in the Bitcoin Ecosystem?
Poinsot said the new policy would allow better communication about the risks of running older versions of Bitcoin Core and provide a standardized disclosure process to incentivize researchers to find and responsibly disclose vulnerabilities:
“Presenting security bugs to a broader group of participants can help prevent future bugs.”
The new disclosure policy will classify vulnerabilities into four severity levels. The first category, low, includes hard-to-exploit and low-impact bugs like a wallet bug requiring access to the victim’s machine. The second category, medium, includes bugs with limited impact, such as local network remote crashes. The last two categories include high-severity bugs with significant impact, while critical severity threatens the integrity of the entire network.
Details on the Subject
An example of a critical bug is manipulating Bitcoin Core to inflate Bitcoin’s fixed supply limit or commit asset theft. Disclosures of low, medium, and high bugs are targeted for two weeks after the fixed release, while disclosures of critical bugs will be determined case by case.
Poinsot added that the policy would be gradually adopted in the coming months and noted that all vulnerabilities fixed in Bitcoin Core 0.21.0 and earlier versions were disclosed as of July 3, with disclosures for versions 0.22.0 and 0.23.0 to be made later this month and in August. Bitcoin Core version 27.1 is the latest adopted version, and the new policy has received praise from Bitcoin Core developer Eric Voskuil:
“Many other projects have suffered from this misconception and actually caused material harm to the community. I don’t know what accelerated this change, but I support you all in stepping up.”
