Rony Roy
Bitcoin Core developers have implemented a new security disclosure policy. The policy will establish standardised reporting measures for reporting vulnerabilities.
Are you looking for signals & alerts from pro-traders? Sign-up to Invezz Signals™ for FREE. Takes 2 mins.
Bitcoin Core is a software for Bitcoin node operators that is used to validate transactions and build blocks. The application plays a crucial role in securing the Bitcoin blockchain.
More transparency
Antoine Poinsot, a Bitcoin core developer, along with five others, noted in an email that Bitcoin Core “has historically done a poor job at publicly disclosing security-critical bugs.”
This creates a misconception among Bitcoin users that Bitcoin Core is free of bugs. However, the developers believe that’s not the case and this “perception” is inaccurate and “dangerous.”
Security disclosures are the process via which developers and external researchers report loopholes in a system to the affected organization. This notion is quite similar to bug bounty programs.
The disclosure process typically involves spotting a vulnerability, confidentially reporting it, verifying the vulnerability and then disclosing it publicly aligns with the details.
As part of the new policy, vulnerabilities in the network are categorised based on their severity.
Three main categorisations for vulnerabilities
Low-severity bugs include those that have minimal impact on the network. These bugs must be disclosed after a fix is released. For instance, a wallet bug that requires physical access to a system would categorised under this.
Medium to high-severity bugs would be disclosed a year after the last affected release goes end-of-life (EOL). These would comprise of bugs with limited impact, such as local network remote crashes.
Finally, critical bugs which pose significant risks to the network would be handled via ad-hoc procedures due to their severe nature. These bugs tend to threaten network integrity.
Over the years, the Bitcoin network has experienced multiple security issues, dubbed Common Vulnerabilities and Exposures (CVEs).
For instance, CVE-2012-2459, would allow attackers to create invalid blocks that looked valid. Meanwhile, CVE-2018-17144 allowed attackers to create additional Bitcoins outside of the network’s fixed supply cap.
According to Poinsot, the new policy will facilitate better communication about the risks of running an outdated version of the Bitcoin core protocol.
He added that making these bugs available to the broader group of contributors can “help prevent future ones.”
The updated policy has been lauded by developer Eric Voskuil, who wrote:
Many other projects have been on the receiving end of this misperception […] I don’t know what precipitated this change, but props to you all for stepping up.
As of now, Poinsot added that all vulnerabilities fixed in Bitcoin Core versions 0.21.0 and earlier have been disclosed. Disclosures for versions 0.22.0 and 0.23.0 are slated for July and August.
The new changes would be “gradually adopted” in the coming months, he added.
Ad
Want easy-to-follow crypto, forex & stock trading signals? Make trading simple by copying our team of pro-traders. Consistent results. Sign-up today at Invezz Signals™.
