Around 6% of Bitcoin nodes are currently operating on outdated software, exposing them to potential security vulnerabilities. To address this, Bitcoin Core has implemented a new disclosure policy aimed at enhancing network security through increased transparency.
Historically, Bitcoin Core developers have disclosed only 10 vulnerabilities that could affect older versions of the Bitcoin client software. A report from Bitcoin Optech reveals that these vulnerabilities, while fixed in recent releases, could have allowed various attacks on nodes running outdated Bitcoin Core versions. This comes as developers introduce a new security disclosure policy to improve transparency and communication between the team and Bitcoin’s public users.
“The project has historically done a poor job at publicly disclosing security-critical bugs, whether externally reported or found by contributors. This has led to a situation where a lot of users perceive Bitcoin Core as never having bugs. This perception is dangerous and, unfortunately, not accurate,” wrote Antoine Poinsot in the Bitcoin Development Mailing List announcement.
Liam Wright of CryptoSlate reports that approximately 787 nodes, or 5.94% of the 14,001 active Bitcoin nodes, are running versions older than 0.21.0, making them vulnerable to certain security risks. The most widespread vulnerability affects versions before 0.21.0, potentially enabling censorship of unconfirmed transactions and causing network splits due to excessive time adjustments.
Other Vulnerabilities
Other notable vulnerabilities include an unbound ban list CPU/memory DoS (CVE-2020-14198) affecting 185 nodes running versions before 0.20.1, and three separate vulnerabilities impacting 182 nodes each in versions prior to 0.20.0. These include memory DoS from large inv-messages, CPU-wasting DoS from malformed requests, and memory-related crashes when parsing BIP72 URIs.
Some of the oldest disclosed vulnerabilities date back to 2015, affecting only a few nodes running such outdated software. These include a remote code execution bug in miniupnpc (CVE-2015-6031) and a node crash DoS from large messages (CVE-2015-3641), impacting 22 and 5 nodes respectively.
The new disclosure system categorizes vulnerabilities into four severity levels and outlines specific timelines for disclosure based on the severity. This initiative aims to set clear expectations for security researchers and incentivize responsible disclosure of vulnerabilities.
While the percentage of vulnerable nodes is not immediately critical, it represents a significant portion of the network that could be exploited. This disclosure highlights the need for better communication and incentives within the Bitcoin community to encourage more frequent software updates and enhance the overall security of the network. Critical bugs will require an ad-hoc procedure.
This gradual adoption will begin with disclosing vulnerabilities fixed in Bitcoin Core versions 0.21.0 and earlier, followed by those fixed in subsequent versions over the coming months. The policy aims to set clear expectations for security researchers and incentivize responsible disclosure.
Disclaimer
The information provided on this website is sourced from independent entities deemed reliable and does not guarantee its timeliness, completeness, or accuracy. is not an investment advisor and does not offer personalized investment or financial advice. Information on this website may change without notice and can become outdated, incomplete, or inaccurate. While we strive to update content, there is no obligation to do so. Cryptonewsmart may incorporate AI-generated content, which is thoroughly reviewed by our editors and writers to ensure factual accuracy, drawing from multiple primary and secondary sources. Investment decisions should not be based solely on information from this website. We strongly recommend consulting a licensed investment advisor or financial professional. Decentral Media, Inc. does not accept compensation for analyzing or reporting on any ICO, IEO, cryptocurrency, or other investment forms.
