Bitcoin Core devs adopt new security policy to curb outdated software use

A new disclosure policy categorizes Bitcoin software vulnerabilities to enhance the network's security and transparency.

Visual of Bitcoin node security risks.

Key Takeaways

  • Approximately 6% of Bitcoin nodes run outdated software, exposing them to security risks.
  • Bitcoin Core's new disclosure policy aims to improve network security through transparency.

Share this article

Throughout their commit history, Bitcoin Core developers have only disclosed 10 vulnerabilities that could affect older versions of the Bitcoin client software. According to a report from Bitcoin Optech, these vulnerabilities, while already fixed in more recent releases, could have allowed various attacks on nodes running outdated Bitcoin Core versions.

This report comes as developers introduced a new security disclosure policy to improve transparency and communication between the team and Bitcoin’s public users.

“The project has historically done a poor job at publicly disclosing security-critical bugs, whether externally reported or found by contributors. This has led to a situation where a lot of users perceive Bitcoin Core as never having bugs. This perception is dangerous and, unfortunately, not accurate,” the announcement stated, as written by Antoine Poinsot for the Bitcoin Development Mailing List.

According to an analysis written by Liam Wright of CryptoSlate, approximately 787 nodes, or 5.94% of the 14,001 active Bitcoin nodes, are running versions older than 0.21.0, making them susceptible to certain vulnerabilities. The most widespread vulnerability affects versions prior to 0.21.0, potentially enabling censorship of unconfirmed transactions and causing netsplits due to excessive time adjustments.

Other significant vulnerabilities include an unbound ban list CPU/memory DoS (CVE-2020-14198) affecting 185 nodes running versions before 0.20.1, and three separate vulnerabilities impacting 182 nodes each in versions prior to 0.20.0. These include memory DoS from large inv-messages, CPU-wasting DoS from malformed requests, and memory-related crashes when parsing BIP72 URIs.

The oldest disclosed vulnerabilities date back to 2015, affecting very few nodes running such outdated software. These include a remote code execution bug in miniupnpc (CVE-2015-6031) and a node crash DoS from large messages (CVE-2015-3641), impacting 22 and 5 nodes respectively.

The new disclosure system categorizes vulnerabilities into four severity levels and outlines specific timelines for disclosure based on the severity. This initiative aims to set clear expectations for security researchers and incentivize responsible disclosure of vulnerabilities.

While the percentage of vulnerable nodes is not an immediate critical issue, it represents a non-trivial portion of the network that could be exploited. This disclosure, in particular, highlights the need for better communication and incentives within the Bitcoin community to encourage more frequent software updates and enhance the overall security of the network. Notably, Critical bugs will require an ad-hoc procedure.

This gradual adoption will begin with disclosing vulnerabilities fixed in Bitcoin Core versions 0.21.0 and earlier, followed by those fixed in subsequent versions over the coming months. The policy aims to set clear expectations for security researchers and incentivize responsible disclosure.

Share this article

Loading...