A new disclosure policy has been launched by a group of Bitcoin Core developers with the aim of improving the communication of Bitcoin security vulnerabilities. In a message to members of the Bitcoin Development Mailing List on July 3, Bitcoin core developer Antoine Poinsot and five others emphasized the historical lack of public disclosure of security-critical bugs. They pointed out that this has created a false impression among Bitcoin users that Bitcoin Core is free of bugs, which is simply not the case.
Bitcoin Core is essential software for Bitcoin node operators as it is used to access the Bitcoin blockchain, validate transactions, and build blocks. It plays a significant role in securing over $1.1 trillion in the Bitcoin network.
According to Antoine Poinsot, the new policy will enable better communication about the risks associated with using outdated versions of Bitcoin Core. It will also establish a standardized disclosure process to incentivize researchers to find and responsibly disclose vulnerabilities. The new policy categorizes vulnerabilities into four levels of severity.
The first category, “low,” includes bugs that are difficult to exploit and have minimal impact. The second category, “medium,” consists of bugs with limited impact. The last two categories are “high” and “critical,” with the latter threatening the entire network’s integrity. Critical bugs could involve manipulating Bitcoin Core to inflate Bitcoin’s hard-capped supply or committing a “coin theft.”
Low, medium, and high bugs will be disclosed two weeks after a fixed version is released, while disclosures for critical bugs will be determined on a case-by-case basis. The new policy is expected to be gradually adopted in the coming months.
Antoine Poinsot also noted that all vulnerabilities fixed in Bitcoin Core versions 0.21.0 and earlier have been disclosed as of July 3, and disclosures for versions 0.22.0 and 0.23.0 will be made later this month and in August. The latest version adopted is Bitcoin Core version 27.1. The new policy has received praise from fellow Bitcoin Core developer Eric Voskuil.
The new disclosure policy is an important step towards enhancing the security of Bitcoin Core and ensuring that users are informed about potential vulnerabilities.