A group of Bitcoin core developers have rolled out a new policy to disclose security vulnerabilities on the Bitcoin blockchain.
“The project has historically done a poor job at publicly disclosing security-critical bugs, whether externally reported or found by contributors,” said developer Antoine Poinsot in an email sent to the Bitcoin developer mailing list.
“This has led to a situation where a lot of users perceive Bitcoin Core as never having bugs. This perception is dangerous and, unfortunately, not accurate.”
The new disclosure policy would classify disclosed vulnerabilities into one of four categories based on severity: low, medium, high and critical.
Low severity bugs would be disclosed within two weeks after a fixed version is released, while medium and high severity bugs would be disclosed two weeks after the last affected software release reaches its end of life.
Critical bugs, on the other hand, would not be considered in the standard policy and would require an ad-hoc procedure regarding its disclosure. The developers would consider any bug that threatens the entire network’s integrity to fall in this bracket.
The new policy is expected to be gradually rolled out in the coming months, but in the spirit of following through with the promise of appropriate disclosures, a page has been added to the official Bitcoin core website summarizing the vulnerabilities that impacted the network.
The document details 12 disclosures that impacted the Bitcoin network before the version 0.21.0 of its software was released.
One of these bugs was a malicious BIP-72 Uniform Resource Identifier (URI), which is used to facilitate payments and interact with wallet addresses, that could cause the BIP-70 implementation in Bitcoin core to silently crash.
Other disclosures included an integer overflow bug that could have caused a network split, a node that could be stalled for hours, and a denial of service (DoS) vulnerability that affected older versions of Bitcoin core.
“I have to say this is one of the most compelling statements I’ve seen from the bitcoin/Bitcoin Core team in over 10 years,” said Bitcoin developer Eric Voskuil.
“Many other projects have been on the receiving end of this misperception, and it has in fact caused material harm to the community. I don’t know what precipitated this change, but props to you all for stepping up.”