A group of Bitcoin Core developers has introduced<\/a> a comprehensive security disclosure policy to address past shortcomings in publicizing security-critical bugs.<\/p>\n This new policy aims to establish a standardized process for reporting and disclosing vulnerabilities, thereby improving transparency and security within the Bitcoin ecosystem.<\/p>\n Several previously undisclosed vulnerabilities are also included with the announcement.<\/p>\n A security disclosure is a process through which security researchers or ethical hackers report vulnerabilities they discover in software or systems to the affected organization. The goal is to allow the organization to address these vulnerabilities before they can be exploited by malicious actors. This process typically involves discovering the vulnerability, reporting it confidentially, verifying its existence, developing a fix, and finally, publicly disclosing the vulnerability along with details and mitigation advice.<\/p>\n The latest Bitcoin Core security disclosures<\/a> address various vulnerabilities with varying severity. Key issues include multiple denial-of-service (DoS) vulnerabilities that could cause service disruptions, a remote code execution (RCE) flaw in the miniUPnPc library, transaction handling bugs that could lead to censorship or improper orphan transaction management, and network vulnerabilities such as buffer blowup and timestamp overflow leading to network splits. <\/p>\n It is not believed any of those vulnerabilities currently present a critical risk for the Bitcoin network. Regardless, users are strongly encouraged to ensure their software is up to date.<\/p>\n For detailed information, see the commits on GitHub: Bitcoin Core Security Disclosures<\/a>.<\/p>\n Bitcoin Core\u2019s new policy categorizes vulnerabilities into four severity levels: Low, Medium, High, and Critical.<\/p>\n Low severity: Bugs that are difficult to exploit or have minimal impact. These will be disclosed two weeks after a fix is released.Medium and High severity: Bugs with significant impact or moderate ease of exploitation. These will be disclosed a year after the last affected release goes end-of-life (EOL).Critical severity: Bugs that threaten the entire network\u2019s integrity, such as inflation or coin theft vulnerabilities, will be handled with ad-hoc procedures due to their severe nature.<\/p>\n This policy aims to provide consistent tracking and standardized disclosure processes, encouraging responsible reporting and allowing the community to address issues promptly. <\/p>\n Bitcoin has experienced several notable security issues, known as CVEs (Common Vulnerabilities and Exposures), over the years. These incidents highlight the importance of vigilant security practices and timely updates. Here are some key examples:<\/p>\n CVE-2012-2459<\/a>: This critical bug could cause network problems by allowing attackers to create invalid blocks that looked valid, potentially splitting the Bitcoin network temporarily. It was fixed in Bitcoin Core version 0.6.1 and motivated further improvements in Bitcoin’s security protocols\u200b.<\/p>\n CVE-2018-17144<\/a>: A critical bug that could have allowed attackers to create extra Bitcoins, violating the fixed supply principle. This issue was discovered and fixed in September 2018. Users needed to update their software to avoid potential exploitation\u200b <\/p>\n Additionally, the Bitcoin community has discussed various other vulnerabilities and potential fixes that have not yet been implemented. <\/p>\n CVE-2013-2292<\/a>: By creating blocks that take a very long time to verify, an attacker could significantly slow down the network.<\/p>\nWhat is a Security Disclosure?<\/h3>\n
Should Users Be Worried?<\/h3>\n
Improving the disclosure process<\/h3>\n
History of CVE Disclosures in Bitcoin<\/h3>\n