Bitcoin Core Announces New Security Disclosure Policy

Bitcoin Core Developer Group Introduced A comprehensive security disclosure policy to address past shortcomings in disclosing security-critical bugs.

The new policy aims to establish a standardized process for reporting and disclosing vulnerabilities, thereby improving transparency and security within the Bitcoin ecosystem.

The announcement also includes several previously undisclosed vulnerabilities.

What is a security disclosure?

Security disclosure is the process by which security researchers and ethical hackers report vulnerabilities they find in software or systems to affected organizations so that the organizations can address these vulnerabilities before malicious actors exploit them. The process typically involves discovering the vulnerability, reporting it privately, confirming its existence, developing a fix, and finally making it public with details of the vulnerability and mitigation advice.

Should users be worried?

Latest Bitcoin Core Security Disclosures It addresses vulnerabilities of various severity. Key issues include multiple Denial of Service (DoS) vulnerabilities that can cause service interruptions, a Remote Code Execution (RCE) flaw in the miniUPnPc library, transaction processing bugs that can lead to censorship and improper orphaned transaction management, and network vulnerabilities such as buffer explosion and timestamp overflow that can lead to network partitions.

None of these vulnerabilities are currently believed to pose a significant risk to the Bitcoin network. Regardless, users are strongly encouraged to keep their software up to date.

For more information, GitHub: Bitcoin Core Security Disclosures.

Improving the disclosure process

Bitcoin Core’s new policy categorizes vulnerabilities into four severity levels: low, medium, high, and critical.

  • Low severity: Bugs that are difficult to exploit or have minimal impact. These will be made public two weeks after a fix is ​​released.
  • Medium and High Severity: Bugs with significant impact or high exploitability. These are disclosed one year after the last affected release reaches End of Life (EOL).
  • Critical Severity: Bugs that threaten the integrity of the entire network, such as inflation or coin theft vulnerabilities, will be handled in an ad-hoc manner due to their severity.

This policy is intended to provide a consistent tracking and standardized disclosure process, encourage responsible reporting, and enable the community to quickly address issues.

Bitcoin CVE Disclosure History

Over the years, Bitcoin has experienced several notable security issues, known as CVEs (Common Vulnerabilities and Exposures). These incidents highlight the importance of vigilant security practices and timely updates. Below are some major examples:

2012-2459 vulnerability: This critical bug could allow attackers to create invalid blocks that appeared to be valid, potentially causing network issues and potentially splitting the Bitcoin network temporarily. It was fixed in Bitcoin Core version 0.6.1 and led to further improvements to Bitcoin’s security protocols.

CVE-2018-17144: A critical bug that allowed attackers to violate the fixed supply principle and create extra bitcoins. The issue was discovered and fixed in September 2018. Users were required to update their software to avoid potential exploits.

Additionally, the Bitcoin community is discussing various vulnerabilities and potential fixes that have yet to be implemented.

2013-2292 vulnerability: By creating blocks that take a very long time to validate, an attacker could significantly slow down the network.

CVE-2017-12842: This vulnerability could allow lightweight Bitcoin wallets to believe they have received a payment when in fact they have not, which is dangerous for SPV (Simplified Payment Verification) clients.

Discussions of these vulnerabilities highlight the ongoing need for coordinated, community-supported updates to Bitcoin’s protocol. Ongoing research Centered around the idea of ​​a consensus cleanup soft fork, it aims to address potential vulnerabilities in a unified and efficient way, ensuring the ongoing robustness and security of the Bitcoin network.

Maintaining software security is a dynamic process that requires constant monitoring and updating. This overlaps with the broader debate over Bitcoin’s ossification to not change its core protocol to maintain stability and reliability. Some argue for minimizing changes to avoid risk, while others argue that regular updates are necessary to enhance security and functionality.

This new disclosure policy by Bitcoin Core is a step towards balancing these perspectives by ensuring that necessary updates are communicated properly and managed responsibly.


Leave a Comment