Bitcoin Core developers announce new “critical vulnerability” disclosure policy to more effectively communicate Bitcoin security vulnerabilities

According to TechFlow, Bitcoin Core developer Antoine Poinsot and five other developers announced a new "critical vulnerability" disclosure policy to members of the Bitcoin Development mailing list on July 3, aiming to more effectively communicate Bitcoin security vulnerabilities.

Poinsot pointed out that in the past the project did not do enough to publicly disclose security-critical vulnerabilities, leading users to mistakenly believe that Bitcoin Core has no vulnerabilities, which is both dangerous and inaccurate. The new policy divides vulnerabilities into four categories according to severity and provides a standardized disclosure process to encourage researchers to discover and disclose vulnerabilities responsibly. Low-, medium-, and high-level vulnerabilities will be disclosed two weeks after the fixed version is released, while the disclosure of critical vulnerabilities will be based on the situation. All vulnerabilities in Bitcoin Core version 0.21.0 and before were disclosed on July 3, and the disclosure of versions 0.22.0 and 0.23.0 will be released this month and August, respectively. The latest version is 27.1. Developer Eric Voskuil praised this policy.