Bitcoin Core Announces New Security Disclosure Policy

A group of Bitcoin Core developers has introduced a comprehensive security disclosure policy to address past shortcomings in publicizing security-critical bugs.

This new policy aims to establish a standardized process for reporting and disclosing vulnerabilities, thereby improving transparency and security within the Bitcoin ecosystem.

Several previously undisclosed vulnerabilities are also included with the announcement.

What is a Security Disclosure?

A security disclosure is a process through which security researchers or ethical hackers report vulnerabilities they discover in software or systems to the affected organization. The goal is to allow the organization to address these vulnerabilities before they can be exploited by malicious actors. This process typically involves discovering the vulnerability, reporting it confidentially, verifying its existence, developing a fix, and finally, publicly disclosing the vulnerability along with details and mitigation advice.

Should Users Be Worried?

The latest Bitcoin Core security disclosures address various vulnerabilities with varying severity. Key issues include multiple denial-of-service (DoS) vulnerabilities that could cause service disruptions, a remote code execution (RCE) flaw in the miniUPnPc library, transaction handling bugs that could lead to censorship or improper orphan transaction management, and network vulnerabilities such as buffer blowup and timestamp overflow leading to network splits.

It is not believed any of those vulnerabilities currently present a critical risk for the Bitcoin network. Regardless, users are strongly encouraged to ensure their software is up to date.

For detailed information, see the commits on GitHub: Bitcoin Core Security Disclosures.

Improving the disclosure process

Bitcoin Core’s new policy categorizes vulnerabilities into four severity levels: Low, Medium, High, and Critical.

Low severity: Bugs that are difficult to exploit or have minimal impact. These will be disclosed two weeks after a fix is released.Medium and High severity: Bugs with significant impact or moderate ease of exploitation. These will be disclosed a year after the last affected release goes end-of-life (EOL).Critical severity: Bugs that threaten the entire network’s integrity, such as inflation or coin theft vulnerabilities, will be handled with ad-hoc procedures due to their severe nature.

This policy aims to provide consistent tracking and standardized disclosure processes, encouraging responsible reporting and allowing the community to address issues promptly.

History of CVE Disclosures in Bitcoin

Bitcoin has experienced several notable security issues, known as CVEs (Common Vulnerabilities and Exposures), over the years. These incidents highlight the importance of vigilant security practices and timely updates. Here are some key examples:

CVE-2012-2459: This critical bug could cause network problems by allowing attackers to create invalid blocks that looked valid, potentially splitting the Bitcoin network temporarily. It was fixed in Bitcoin Core version 0.6.1 and motivated further improvements in Bitcoin’s security protocols​.

CVE-2018-17144: A critical bug that could have allowed attackers to create extra Bitcoins, violating the fixed supply principle. This issue was discovered and fixed in September 2018. Users needed to update their software to avoid potential exploitation​

Additionally, the Bitcoin community has discussed various other vulnerabilities and potential fixes that have not yet been implemented.

CVE-2013-2292: By creating blocks that take a very long time to verify, an attacker could significantly slow down the network.

CVE-2017-12842: This vulnerability can trick lightweight Bitcoin wallets into thinking they received a payment when they hadn’t. This is risky for SPV (Simplified Payment Verification) clients.

The conversation around these vulnerabilities underscores the ongoing need for coordinated and community-supported updates to Bitcoin’s protocol. Ongoing research around the idea of a consensus cleanup soft fork seeks to address latent vulnerabilities in a unified and efficient manner, ensuring the continued robustness and security of the Bitcoin network.

Maintaining software security is a dynamic process requiring ongoing vigilance and updates. This intersects with the broader debate on Bitcoin ossification—where the core protocol remains unchanged to maintain stability and trust. While some advocate for minimal changes to avoid risks, others argue that occasional updates are necessary to enhance security and functionality.

This new disclosure policy by Bitcoin Core is a step towards balancing these perspectives by ensuring that any necessary updates are well-communicated and managed responsibly.