Bitcoin Core developer Antoine Poinsot stated that the perception that Bitcoin Core is bug-free is “dangerous and, unfortunately, not accurate.”
A group of Bitcoin Core developers has implemented a “critical bug” disclosure policy to communicate Bitcoin’s security vulnerabilities more effectively.
On July 3, Bitcoin core developer Antoine Poinsot and five others wrote to members of the Bitcoin Development Mailing List, “The project has historically done a poor job at publicly disclosing security-critical bugs, whether externally reported or found by contributors.”
This has resulted in Bitcoin users being misled into believing that Bitcoin Core is bug-free; however, Poinsot emphasized that this is not the case.
“This perception is dangerous and, unfortunately, not accurate.”
Bitcoin Core is the software that Bitcoin node operators obtain to access the blockchain, validate transactions, and construct blocks. Protecting over $1.1 trillion securely stored within the Bitcoin network is essential.
Poinsot stated that the new policy would facilitate improved communication regarding the hazards of operating outdated versions of Bitcoin Core and would establish a standardized disclosure procedure that would provide researchers with an increased incentive to identify and responsibly disclose vulnerabilities.
“Making the security bugs available to the wider group of contributors can help prevent future ones.”
The vulnerabilities will be classified into four severity levels under the new disclosure policy.
The first category, “low,” encompasses bugs that are difficult to exploit and have a minimal impact, such as a wallet flaw that necessitates access to the victim’s machine.
The second category, “medium,” encompasses flaws with limited impact, such as local network remote crashes.
The final two categories encompass flaws of “high” severity that have the potential to have a substantial impact. In contrast, those of “critical” severity threaten the entire network’s integrity.
An illustration of a critical flaw could involve the manipulation of Bitcoin Core to increase the hard-capped supply of Bitcoin or the commission of a “coin theft.”
The goal is to disclose low, medium, and high bugs within two weeks of the release of a fixed version. However, the disclosure of critical flaws will be determined case-by-case.
Poinsot further stated that the policy will be implemented progressively in the months ahead.
Poinsot observed that all vulnerabilities resolved in Bitcoin Core versions 0.21.0 and earlier have been disclosed as of July 3. The disclosures for versions 0.22.0 and 0.23.0 will be released later this month and in August.
Version 27.1 of Bitcoin Core is the most recent version to be implemented.
Eric Voskuil, a fellow Bitcoin Core developer, expressed his approval of the new policy:
“Many other projects have been on the receiving end of this misperception, and it has in fact caused material harm to the community. I don’t know what precipitated this change, but props to you all for stepping up.”
