Bitcoin Core Introduces New Security Disclosure Policy

The maintainers of Bitcoin's primary software implementation has announced a new security disclosure policy to enhance communication about security issues.

This policy aims to create a standardized procedure for reporting and revealing vulnerabilities, thereby increasing transparency and security within the Bitcoin community.

The announcement also includes several previously undisclosed vulnerabilities.

‍

Understanding Security Disclosure

A security disclosure involves security researchers or ethical hackers informing the relevant organization about vulnerabilities they've identified in software or systems. The objective is to enable the organization to fix these vulnerabilities before they can be exploited by malicious actors. The process generally involves discovering the vulnerability, reporting it confidentially, verifying it, developing a fix, and eventually publicly disclosing the vulnerability along with mitigation advice.

‍

Should Users Be Concerned?

The latest disclosures from Bitcoin Core address various vulnerabilities with differing levels of severity. Key issues include multiple denial-of-service (DoS) vulnerabilities that could disrupt services, a remote code execution (RCE) flaw in the miniUPnPc library, transaction handling bugs that could lead to censorship or mishandling of orphan transactions, and network vulnerabilities such as buffer overflow and timestamp overflow that could cause network splits.

None of these vulnerabilities are believed to pose a critical risk to the Bitcoin network at present. However, users are strongly advised to keep their software updated.

For more detailed information, see the commits on GitHub: Bitcoin Core Security Disclosures.

‍

Enhancing the Disclosure Process

Bitcoin Core’s new policy classifies vulnerabilities into four severity levels: Low, Medium, High, and Critical.

• Low severity: These are bugs that are hard to exploit or have minimal impact. They will be disclosed two weeks after a fix is released.

• Medium and High severity: These are bugs with significant impact or moderate ease of exploitation. They will be disclosed one year after.

• Critical severity: Bugs that jeopardize the entire network's integrity, such as those causing inflation or coin theft, will be managed with ad-hoc procedures due to their severe nature.

This policy seeks to ensure consistent tracking and standardized disclosure processes, promoting responsible reporting and enabling the community to address issues promptly.

‍

History of CVE Disclosures in Bitcoin

Bitcoin has encountered several significant security issues, known as CVEs (Common Vulnerabilities and Exposures), over the years. These incidents underscore the importance of maintaining vigilant security practices and implementing timely updates. Notable examples include:

• CVE-2012-2459: This critical bug could cause network problems by allowing attackers to create invalid blocks that appeared valid, potentially temporarily splitting the Bitcoin network. It was fixed in Bitcoin Core version 0.6.1 and led to further improvements in Bitcoin's security protocols.

• CVE-2018-17144t: A critical bug that could have allowed attackers to create extra Bitcoins, violating the fixed supply principle. This issue was identified and resolved in September 2018. Users were required to update their software to prevent potential exploitation.

Furthermore, the Bitcoin community has considered various other vulnerabilities and potential fixes that are yet to be implemented.

• CVE-2013-2292: An attacker could significantly slow down the network by creating blocks that take a very long time to verify.

• CVE-2017-12842: This vulnerability can trick lightweight Bitcoin wallets into thinking they received a payment when they hadn't, posing a risk for SPV (Simplified Payment Verification) clients.

‍

These discussions emphasize the need for coordinated and community-supported updates to Bitcoin’s protocol. Ongoing research around a consensus cleanup soft fork seeks to address latent vulnerabilities in a unified and efficient manner, ensuring the continued robustness and security of the Bitcoin network.

Ensuring software security is an ongoing effort that demands continuous monitoring and updates. This intersects with the larger debate on Bitcoin ossification, where keeping the core protocol unchanged is seen as essential for stability and trust. Some support minimal changes to mitigate risks, while others believe periodic updates are needed to improve security and functionality.

Bitcoin Core's new disclosure policy seeks to balance these views by guaranteeing that any essential updates are communicated effectively and managed responsibly.

‍