Bitcoin Core Developers Implement New Security Disclosure Policy

Bitcoin Core developers have implemented a new security disclosure policy. The policy will establish standardised reporting measures for reporting vulnerabilities.

Bitcoin Core developers have unveiled a new security disclosure policy that will standardize the reporting of vulnerabilities. The policy aims to improve transparency and address the common misperception that Bitcoin Core is bug-free.

Developers, including Antoine Poinsot, highlighted in an email that Bitcoin Core has historically lacked in publicly disclosing security-critical bugs. This has led to the misconception among Bitcoin users that Core is bug-free, a perception that Poinsot described as “inaccurate” and “dangerous.”

Security disclosures typically involve external researchers or developers reporting vulnerabilities in a system to the affected organization, similar to bug bounty programs. The process usually entails discovering a vulnerability, confidentially reporting it, having the vulnerability verified and then disclosing it publicly in alignment with the details.

As part of the new policy, vulnerabilities in the network will be categorized based on their severity.

Three main categorizations for vulnerabilities

Low-severity bugs, which have minimal impact on the network, will be disclosed after a fix is released. An example of such a bug would be a wallet bug that requires physical access to a system.

Medium to high-severity bugs will be disclosed a year after the last affected release goes end-of-life (EOL). These bugs include those with limited impact, such as local network remote crashes.

Critical bugs that pose significant risks to the network will be handled via ad-hoc procedures due to their severe nature. These bugs typically threaten network integrity.

Over the years, the Bitcoin network has seen several security issues, which are assigned Common Vulnerabilities and Exposures (CVEs).

For instance, CVE-2012-2459 would allow attackers to create invalid blocks that appeared valid. Meanwhile, CVE-2018-17144 allowed attackers to create additional Bitcoins outside of the network’s fixed supply cap.

According to Poinsot, the new policy will also help in better communicating the risks of running an outdated version of the Bitcoin Core protocol.

He added that making these bugs known to the broader contributor set can “help prevent future ones.”

The updated policy has been met with appreciation, with developer Eric Voskuil writing:

Many other projects have been on the receiving end of this misperception […] I don’t know what precipitated this change, but props to you all for stepping up.

Currently, Poinsot added, all vulnerabilities fixed in Bitcoin Core versions 0.21.0 and earlier have been disclosed. Disclosures for versions 0.22.0 and 0.23.0 are expected in July and August.

The new changes will be “gradually adopted” in the coming months, he noted.

The above is the detailed content of Bitcoin Core Developers Implement New Security Disclosure Policy. For more information, please follow other related articles on the PHP Chinese website!