🌋 Bitcoin Core Developers to Disclose Vulnerabilities
posted 4 Jul 2024
Developer Antoine Poinsot and five colleagues have released a letter detailing a new policy for notifying users about vulnerabilities and bugs in Bitcoin Core's code, which is crucial for network node operators.
Notification timelines vary by the severity of the bug: low-level issues will be reported two weeks after the corresponding patch is released, while medium and high-level issues will be disclosed one year post-patch. For critical vulnerabilities, no standardized timeline will be set; responses will be tailored to the specifics of the situation.
Poinsot highlighted that the team had previously not emphasized technical issues adequately, leading the community to almost mistakenly regard the code as flawless. He stressed that this is not the case and that perpetuating this myth could endanger users.
The developers have introduced a standardized procedure for disclosing vulnerabilities, which are classified into four levels of severity:
- Low Level: This category includes bugs that are difficult to exploit for malicious purposes, such as a wallet vulnerability that requires direct access to a user's device.
- Medium Level: This includes problems that pose a limited threat, such as the potential for remote disruptions within a local network.
- High Level: These are more significant issues, like the potential for remote code execution (RCE), which involves running malicious code on a victim’s device.
- Critical Level: Reserved for the most severe bugs that affect the entire network, such as those that could alter the total supply of coins or enable direct theft of funds.
This new policy on vulnerability disclosure is set to be phased in over the coming months.