In a move to enhance transparency and security within the Bitcoin ecosystem, a team of Bitcoin Core contributors has introduced a new policy for disclosing “critical bugs.” This initiative is designed to improve the way Bitcoin security vulnerabilities are communicated.
On July 3, Bitcoin Core developer Antoine Poinsot, along with five colleagues, addressed the Bitcoin Development Mailing List, acknowledging the project’s shortcomings in openly sharing information about security-critical bugs in the past. Poinsot emphasized that contrary to popular belief, Bitcoin Core is not devoid of bugs.
Bitcoin Core serves as the essential software used by Bitcoin node operators to interact with the Bitcoin blockchain, verify transactions, and create blocks. This software is pivotal in safeguarding the over $1.1 trillion within the Bitcoin network.
Source: Antoine Poinsot
Poinsot explained that the newly established policy would facilitate improved communication regarding the dangers of using outdated Bitcoin Core versions and establish a standardized process for vulnerability disclosure. This process is expected to motivate researchers to identify and responsibly report security issues.
The disclosure policy classifies vulnerabilities into four severity levels:
– “Low” severity covers hard-to-exploit bugs with minimal impact, such as those requiring access to a user’s device.
– “Medium” severity pertains to bugs with restricted impact, like a local network remote crash.
– The “High” and “Critical” categories encompass bugs that could significantly affect the network, with “Critical” bugs posing a threat to the network’s integrity, including potential manipulation of Bitcoin Core to exceed Bitcoin’s fixed supply or to steal coins.
The plan is to disclose low, medium, and high-severity bugs two weeks post the release of a patched version. The timing for disclosing critical bugs will be evaluated individually.
This policy is set to be progressively implemented in the upcoming months. Poinsot also noted that all vulnerabilities addressed in Bitcoin Core versions up to 0.21.0 have been disclosed as of July 3. Further disclosures for versions 0.22.0 and 0.23.0 are expected later in July and August, respectively. The current version, Bitcoin Core 27.1, is the most recent release.
Eric Voskuil, another Bitcoin Core developer, has expressed his support for the new policy.
In related news, advocates for Bitcoin Ordinals are urged to consider the necessity of a new Bitcoin fork.
Magazine Highlight:
The article titled “Bitcoin Layer 2s: A Misnomer?” delves into why these platforms may not truly qualify as Layer 2 solutions.