A group of Bitcoin Core developers has introduced a new policy for disclosing “critical bugs” to improve the communication of Bitcoin security issues.
On July 3, Bitcoin Core developer Antoine Poinsot, along with five colleagues, addressed the Bitcoin Development Mailing List, stating that the project has historically struggled with transparently disclosing security-related bugs, whether they are reported externally or discovered by contributors. This lack of disclosure has led to a misleading impression that Bitcoin Core is entirely bug-free, which Poinsot emphasized is not the case.
Bitcoin Core is the essential software used by Bitcoin node operators to connect to the Bitcoin blockchain, validate transactions, and create new blocks. It is crucial for safeguarding the over $1.1 trillion value within the Bitcoin network.
The new disclosure policy aims to enhance the communication regarding the risks of using outdated versions of Bitcoin Core and to establish a standardized process for reporting vulnerabilities. This should also incentivize researchers to identify and responsibly report security issues. The policy classifies vulnerabilities into four severity levels:
1. **Low**: Bugs that are difficult to exploit and have minimal impact, such as a wallet bug requiring access to the victim’s machine.
2. **Medium**: Bugs with moderate impact, such as those causing a local network crash.
3. **High**: Bugs with significant impact.
4. **Critical**: Bugs that threaten the entire network’s integrity, such as those that could inflate Bitcoin’s fixed supply or enable “coin theft.”
For low, medium, and high-severity bugs, the goal is to disclose them within two weeks of releasing a fix. Critical bugs will be disclosed on a case-by-case basis.
The policy will be implemented gradually over the coming months. As of July 3, all vulnerabilities fixed in Bitcoin Core versions 0.21.0 and earlier have been disclosed. Disclosures for versions 0.22.0 and 0.23.0 are scheduled for later this month and August, respectively. The latest version of Bitcoin Core is 27.1.
The new policy has been well received, including praise from fellow Bitcoin Core developer Eric Voskuil.