Bitcoin Core Introduces New Security Disclosure Policy

• "The project has historically done a poor job at publicly disclosing security-critical bugs, whether externally reported or found by contributors. This has led to a situation where a lot of users perceive Bitcoin Core as never having bugs. This perception is dangerous and, unfortunately, not accurate," writes Antoine Poinsot.

"Besides a better communication of the risk of running outdated versions, a consistent tracking and standardized disclosure process would set clear expectations for security researchers, providing them with an incentive to try finding vulnerabilities *and* to responsibly disclose them. Making the security bugs available to the wider group of contributors can help prevent future ones," he added.

• "Today we will disclose all vulnerabilities fixed in Bitcoin Core versions 0.21.0 and earlier. Later in July we will disclose all vulnerabilities fixed in Bitcoin Core version 22.0. In August, all vulnerabilities fixed in Bitcoin Core version 23.0. And so on until we run out of EOL versions to disclose vulnerabilities for," explained the developer.
• A new Security Advisories page has been added to the Bitcoin Core website. It currently documents disclosures for versions of Bitcoin Core prior to v0.21.0. All of these versions are End of Life (EOL) and no-longer receive any maintenance updates. The latest release of Bitcoin Core is v27.1. The 26.x and 25.x branches also both continue to receive maintenance updates.

For detailed information, see the commits on GitHub: Bitcoin Core Security Disclosures.

Announcement / Archive
Security Advisories Page
Bitcoin Magazine Article / Archive