Bitcoin Core Developers Group He presented it. A comprehensive security disclosure policy to address past shortcomings in reporting critical security bugs.
This new policy aims to create a standardized process for reporting and disclosing vulnerabilities, thereby improving transparency and security within the Bitcoin ecosystem.
The announcement also includes several previously undisclosed security vulnerabilities.
What is a security disclosure?
Security disclosure is the process by which security researchers or ethical hackers report vulnerabilities they discover in software or systems to the affected organization. The goal is to allow the organization to address these vulnerabilities before they can be exploited by malicious actors. This process typically involves discovering the vulnerability, confidentially reporting it, verifying its existence, developing a fix, and finally publicly disclosing the vulnerability with details and mitigation tips.
Should users be concerned?
Latest version of Bitcoin Core Security Disclosures Addresses various vulnerabilities with varying degrees of severity. Key issues include multiple denial of service (DoS) vulnerabilities that can cause a service outage, a remote code execution (RCE) bug in the miniUPnPc library, transaction processing bugs that can lead to censorship or improper management of orphaned transactions, and network vulnerabilities such as buffer explosion and timestamp overflow that can lead to network splits.
None of these vulnerabilities are currently believed to pose a significant risk to the Bitcoin network. Regardless, users are strongly advised to ensure that their software is up to date.
For detailed information, see the commitments at GitHub: Bitcoin Core Security Disclosures.
Improving the disclosure process
Bitcoin Core’s new policy categorizes vulnerabilities into four levels of severity: low, medium, high, and critical.
- Low severity: Bugs that are difficult to exploit or have minimal impact. Will be disclosed two weeks after the fix is released.
- Medium-High Severity: Bugs that are either highly impactful or moderately easy to exploit. Will be disclosed one year after the last affected release expires.
- Critical: Bugs that threaten the integrity of the entire network, such as inflation or coin theft vulnerabilities, will be addressed with dedicated actions due to their critical nature.
This policy aims to provide consistent tracking and standardized disclosure, encourage responsible reporting, and allow the community to address issues promptly.
History of Bitcoin Risk and Threat Disclosure
Bitcoin has faced a number of notable security issues, known as CVEs (Common Vulnerabilities and Exposures), over the years. These incidents highlight the importance of vigilant security practices and timely updates. Here are some notable examples:
CVE-2012-2459This critical bug could cause network problems by allowing attackers to create invalid blocks that appear valid, which could temporarily split the Bitcoin network. It was fixed in Bitcoin Core 0.6.1 and prompted further improvements to Bitcoin’s security protocols.
CVE-2018-17144: A critical bug could have allowed attackers to generate additional bitcoins, violating the fixed supply principle. This issue was discovered and fixed in September 2018. Users were advised to update their software to avoid potential exploitation.
Additionally, the Bitcoin community has discussed several other vulnerabilities and potential fixes that have yet to be implemented.
Critical Security Vulnerability 2013-2292By creating blocks that take a long time to verify, an attacker can slow down the network significantly.
CVE-2017-12842This vulnerability can trick lightweight Bitcoin wallets into thinking they have received payments when they have not. This is risky for SPV (Simplified Payment Verification) customers.
The conversation around these vulnerabilities underscores the ongoing need for coordinated, community-driven updates to the Bitcoin protocol. Continuously advanced search The idea of a soft fork is to clean up the consensus and seek to address underlying vulnerabilities in a uniform and efficient manner, ensuring the continued strength and security of the Bitcoin network.
Maintaining software security is a dynamic process that requires constant vigilance and updating. This intersects with the broader discussion of Bitcoin hardening — where the core protocol remains unchanged to maintain stability and trust. While some advocate for minor changes to avoid risk, others argue that occasional updates are necessary to enhance security and functionality.
Bitcoin Core’s new disclosure policy represents a step towards balancing these viewpoints by ensuring that any necessary updates are well communicated and managed responsibly.
