A group of Bitcoin Core developers has launched a “critical bug” disclosure policy aimed at more effectively communicating Bitcoin security vulnerabilities.

“The project has historically done a poor job at publicly disclosing security-critical bugs, whether externally reported or found by contributors,” Bitcoin core developer Antoine Poinsot and five others wrote to members of the Bitcoin Development Mailing List on July 3.

This has led to a situation where Bitcoin users are led to believe that Bitcoin Core is free of bugs, but Poinsot stressed that this simply isn’t the case.

“This perception is dangerous and, unfortunately, not accurate.”

Bitcoin Core is the software that Bitcoin node operators download to access the Bitcoin blockchain, validate transactions and build blocks. It plays a crucial role in securing more than $1.1 trillion locked in the Bitcoin network.

Source: Antoine Poinsot

Poinsot said the new policy would allow better communication about the risk of running outdated versions of Bitcoin Core and would provide a standardized disclosure process that would give researchers more incentive to find and responsibly disclose vulnerabilities.

“Making the security bugs available to the wider group of contributors can help prevent future ones.”

The new disclosure policy will categorize vulnerabilities based on four levels of severity.

The first category, “low,” are bugs that are hard to exploit and have low impact — such as a wallet bug that requires access to the victim’s machine.

The second category, “medium” are bugs with limited impact, such as local network remote crash.

The last two categories include bugs of “high” severity that could have significant impact, while the “critical” severity are ones that threaten the entire network’s integrity.

An example of a critical bug could involve manipulating Bitcoin Core to inflate Bitcoin’s hard-capped supply or committing a “coin theft.”

Low, medium and high bugs will aim to be disclosed two weeks after a fixed version is released, while disclosures for critical bugs will be determined on a case-by-case basis.

The policy will be “gradually adopted” in the coming months, Poinsot added.

Poinsot noted that all vulnerabilities fixed in Bitcoin Core versions 0.21.0 and earlier has been disclosed as of July 3, and disclosures for versions 0.22.0 and 0.23.0 will come out later this month and in August.

Bitcoin Core version 27.1 is the latest version adopted.

The new policy received praise from fellow Bitcoin Core developer Eric Voskuil:

“Many other projects have been on the receiving end of this misperception, and it has in fact caused material harm to the community. I don't know what precipitated this change, but props to you all for stepping up.”