Bitcoin Core developers have instituted a new security policy, noting that the project “has historically done a poor job of disclosing security-critical bugs.”

Perception that Bitcoin Core never has bugs ‘dangerous,’ developers say

Bitcoin Core developers have released details about 12 bugs that affected the network prior to v0.21.0.


Posted on July 4, 2024 at 2:00 am EST.

A group of Bitcoin core developers have rolled out a new policy to publicly disclose security vulnerabilities in the Bitcoin blockchain.

“The project has historically done a poor job of publicly disclosing security-critical bugs, whether they are reported externally or found by contributors,” developer Antoine Poinsot said in an email sent to the Bitcoin Developers mailing list.

“This has led to a situation where many users believe that Bitcoin Core never has any bugs. This perception is dangerous and unfortunately not accurate.”

The new disclosure policy classifies publicly disclosed vulnerabilities into four categories based on severity: low, medium, high, and critical.

Low severity bugs are disclosed within two weeks of the release of a fixed version, while medium and high severity bugs are disclosed two weeks after the end of life of the last affected software version.

Critical bugs, on the other hand, would not be included in the standard policy and would require an ad hoc procedure regarding their disclosure. Developers would place any bug that threatens the integrity of the entire network in this category.

The new policy is expected to be phased in over the coming months. To fulfill the promise of appropriate disclosures, a page has been added to the official Bitcoin core website summarizing vulnerabilities affecting the network.

The document details 12 disclosures that affected the Bitcoin network before version 0.21.0 of the software was released.

One of these bugs was a malicious BIP-72 Uniform Resource Identifier (URI), which is used to facilitate payments and communicate with wallet addresses. This bug could cause the BIP-70 implementation in Bitcoin core to silently crash.

Other revelations included an integer overflow bug that could have caused a network split, a node that could be stuck for hours, and a denial of service (DoS) vulnerability that affected older versions of Bitcoin Core.

“I have to say this is one of the most compelling statements I’ve seen from the bitcoin/Bitcoin Core team in over 10 years,” said Bitcoin developer Eric Voskuil.

“Many other projects have fallen victim to this misconception, and it has actually caused material damage to the community. I don’t know what caused this change, but kudos to all of you for taking the lead.”