Bitcoin Core devs undertake new safety coverage to curb outdated software program use

All through their commit historical past, Bitcoin Core builders have solely disclosed 10 vulnerabilities that would have an effect on older variations of the Bitcoin shopper software program. In keeping with a report from Bitcoin Optech, these vulnerabilities, whereas already fastened in newer releases, may have allowed varied assaults on nodes working outdated Bitcoin Core variations.

This report comes as builders launched a brand new safety disclosure coverage to enhance transparency and communication between the workforce and Bitcoin’s public customers.

“The challenge has traditionally executed a poor job at publicly disclosing security-critical bugs, whether or not externally reported or discovered by contributors. This has led to a state of affairs the place plenty of customers understand Bitcoin Core as by no means having bugs. This notion is harmful and, sadly, not correct,” the announcement said, as written by Antoine Poinsot for the Bitcoin Improvement Mailing Record.

In keeping with an evaluation written by Liam Wright of CryptoSlate, roughly 787 nodes, or 5.94% of the 14,001 energetic Bitcoin nodes, are working variations older than 0.21.0, making them prone to sure vulnerabilities. Probably the most widespread vulnerability impacts variations previous to 0.21.0, doubtlessly enabling censorship of unconfirmed transactions and inflicting netsplits as a result of extreme time changes.

Different important vulnerabilities embrace an unbound ban record CPU/reminiscence DoS (CVE-2020-14198) affecting 185 nodes working variations earlier than 0.20.1, and three separate vulnerabilities impacting 182 nodes every in variations previous to 0.20.0. These embrace reminiscence DoS from massive inv-messages, CPU-wasting DoS from malformed requests, and memory-related crashes when parsing BIP72 URIs.

The oldest disclosed vulnerabilities date again to 2015, affecting only a few nodes working such outdated software program. These embrace a distant code execution bug in miniupnpc (CVE-2015-6031) and a node crash DoS from massive messages (CVE-2015-3641), impacting 22 and 5 nodes respectively.

The brand new disclosure system categorizes vulnerabilities into 4 severity ranges and descriptions particular timelines for disclosure primarily based on the severity. This initiative goals to set clear expectations for safety researchers and incentivize accountable disclosure of vulnerabilities.

Whereas the proportion of susceptible nodes is just not a direct important difficulty, it represents a non-trivial portion of the community that might be exploited. This disclosure, specifically, highlights the necessity for higher communication and incentives throughout the Bitcoin neighborhood to encourage extra frequent software program updates and improve the general safety of the community. Notably, Important bugs would require an ad-hoc process.

This gradual adoption will start with disclosing vulnerabilities fastened in Bitcoin Core variations 0.21.0 and earlier, adopted by these fastened in subsequent variations over the approaching months. The coverage goals to set clear expectations for safety researchers and incentivize accountable disclosure.