Bitcoin Core developers have introduced a new policy aimed at improving the disclosure and handling of security vulnerabilities within the Bitcoin network.
This move comes as part of an effort to enhance transparency and security, addressing long-standing issues in the way vulnerabilities have been communicated to the public.
Antoine Poinsot, a prominent Bitcoin Core developer, has emphasized the importance of this new policy. According to Poinsot, there’s a dangerous misconception among Bitcoin users that Bitcoin Core, the software used by node operators to access the Bitcoin blockchain, is free of bugs.
“This perception is dangerous and, unfortunately, not accurate,” Poinsot stated. The new policy aims to address this misconception by providing a more standardized and transparent way of disclosing vulnerabilities.
Bitcoin Core has historically faced criticism for its handling of security-critical bugs. Poinsot and his colleagues acknowledged this in their communication to the Bitcoin Development Mailing List on July 3.
They highlighted that both externally reported and internally discovered vulnerabilities were not always made public, leading to a false sense of security among users. Poinsot noted:
“The project has historically done a poor job at publicly disclosing security-critical bugs, whether externally reported or found by contributors.”
He suggested that allowing more contributors to access information about safety bugs could help prevent future issues.
The newly implemented policy categorizes vulnerabilities into four levels of severity: low, medium, high, and critical. This categorization is designed to help users and developers understand the impact and urgency of each bug.
Low-severity bugs are those that are difficult to exploit and have minimal impact. For instance, a wallet bug that requires access to the victim’s machine would fall under this category. These bugs will be disclosed two weeks after a fixed version is released.
Medium-severity bugs have limited impact, such as local network remote crashes. These will be disclosed one year after the last affected software release goes end-of-life.
High-severity bugs can have significant impact, and similar to medium bugs, will also be disclosed one year after the last affected release goes end-of-life.
Critical bugs pose a threat to the entire network’s integrity. Examples include manipulating Bitcoin Core to inflate Bitcoin’s hard-capped supply or committing a “coin theft.” The disclosure of critical bugs will be handled on a case-by-case basis due to their severe nature.
The policy will be gradually adopted over the coming months.
Poinsot noted that all vulnerabilities fixed in Bitcoin Core versions 0.21.0 and earlier have been disclosed as of July 3. Disclosures for versions 0.22.0 and 0.23.0 are scheduled for later this month and in August. The latest version, Bitcoin Core 27.1, will also follow the new policy guidelines.
This move has been well-received within the Bitcoin community. Eric Voskuil, another Bitcoin Core developer, praised the initiative, saying:
“Many other projects have been on the receiving end of this misperception, and it has in fact caused material harm to the community. I don’t know what precipitated this change, but props to you all for stepping up.”
Bitcoin Core is the backbone of the Bitcoin network, playing a vital role in securing more than $1.1 trillion locked within the network. The software is used to validate transactions and build blocks, making its security paramount.
The new policy not only aims to improve communication about the risks of running outdated versions but also incentivizes researchers to find and responsibly disclose vulnerabilities.
To illustrate the importance of the new policy, Poinsot and his team pointed to past vulnerabilities that had significant impacts.
For instance, CVE-2012-2459 allowed attackers to create invalid blocks that appeared valid, while CVE-2018-17144 could be exploited to create new bitcoin out of thin air and undermine the hard cap of 21 million coins.
Poinsot hopes that by making security bugs available to a wider group of contributors, the policy prevents future vulnerabilities.
The standardized disclosure process is expected to encourage more researchers to discover and responsibly report bugs, contributing to the overall security and stability of the Bitcoin network.
The process of security disclosure typically involves several steps: spotting a vulnerability, confidentially reporting it, verifying the vulnerability, fixing the issue in the future releases, and then disclosing it publicly.
This new policy aligns with this process but adds specific timelines and procedures based on the severity of the vulnerabilities. It aims to rectify past shortcomings in how vulnerabilities were communicated and provide a more structured approach to handling security issues.
One of the key aspects of the new policy is that it provides more incentives for researchers to find and responsibly disclose vulnerabilities.
By offering a standardized disclosure process and better communication, researchers are more likely to engage with the Bitcoin Core project and contribute to its security.
As the new policy is gradually adopted, users and developers can expect more timely and detailed information about vulnerabilities. This will help them make informed decisions about the software they rely on and take necessary precautions to protect their assets.
The Bitcoin Core team’s commitment to transparency and security marks a significant milestone for the project. It demonstrates their dedication to improving the network’s security and fostering a culture of responsible disclosure.
