The Bitcoin Core development team introduced a new policy for disclosing vulnerabilities within the Bitcoin network. This new approach aims to promptly inform the community about Bitcoin security issues.
Led by Antoine Poinsot, the Bitcoin Core developers published a statement criticizing the current system for publicly informing the community about network vulnerabilities and proposed a new approach to disclosing Bitcoin security issues.
“The project has historically done a poor job at publicly disclosing security-critical bugs,” the developers assert. They believe this leads the community to mistakenly think that the Bitcoin network is invulnerable. To address this, the Bitcoin Core team developed a new policy for disclosing critical bugs to more effectively communicate Bitcoin security issues.
The new policy aims to improve awareness of the risks of using outdated versions of Bitcoin Core and create a standardized disclosure process that encourages researchers to find vulnerabilities and report them responsibly.
Under the new approach, vulnerabilities will be classified into four levels of severity:
- Low: bugs that are hard to exploit or have low usability, such as a wallet bug requiring access to the victim’s device.
- Medium: bugs with limited impact, like a local network remote crash.
- High: bugs with significant impact, like a local network remote crash or code execution.
- Critical: vulnerabilities threatening the entire network’s integrity, such as bugs leading to inflation or coin theft.
Most bugs will be disclosed two weeks after the release of a patched version, except for critical vulnerabilities, where the disclosure time will be determined on a case-by-case basis.
For more information on who is behind the development of the Bitcoin blockchain core and the organizations sponsoring it, read the special feature by CP Media.