bitcoin-dev
Bitcoin Core Security Disclosure Policy
Posted on: July 3, 2024 12:57 UTC
Bitcoin Core has recognized the need for transparency and improvement in how it discloses security vulnerabilities.
Acknowledging that there has been a lack of public communication regarding security-critical bugs, whether found by external reporters or contributors, the team admits this oversight has contributed to a misleading perception of Bitcoin Core as being devoid of bugs. This misconception is not only inaccurate but also poses risks, especially concerning the dangers of running outdated software versions.
In response, the team has developed a structured disclosure policy to address these issues effectively. The new policy aims to standardize the process of tracking and disclosing security vulnerabilities, thereby setting clear expectations for security researchers. By encouraging the discovery and responsible reporting of vulnerabilities, the policy intends to foster an environment where such information is readily shared among a broader group of contributors, potentially preventing future security flaws.
The disclosure policy categorizes vulnerabilities into four severity levels: low, medium, high, and critical, each with specific guidelines for disclosure timing relative to the release of fixed versions or the end of life (EOL) of affected releases. Low severity issues, for example, will be disclosed two weeks after a fixed version is released, with a pre-announcement coinciding with the release. Medium and high severity vulnerabilities will be disclosed two weeks after the last affected release reaches EOL, which occurs one year after a fixed version has been released, with a pre-announcement made two weeks before the official disclosure. Critical vulnerabilities, however, fall outside this standard policy and are likely to be handled on a case-by-case basis due to their potential impact on the network's integrity.
The implementation of this policy will be gradual, starting with the disclosure of all vulnerabilities fixed in Bitcoin Core versions 0.21.0 and earlier. Subsequent disclosures will follow in a phased manner, addressing vulnerabilities fixed in later versions. The team has expressed openness to feedback on the potential impacts of this policy change, underscoring their commitment to improving security transparency and collaboration within the Bitcoin Core community.