TechFlow reports that Bitcoin Core developer Antoine Poinsot and five other developers announced a new "critical vulnerability" disclosure policy to the Bitcoin Development mailing list on July 3, aiming to more effectively communicate Bitcoin security vulnerabilities.
Poinsot pointed out that in the past, the project had not done enough in publicly disclosing security-critical vulnerabilities, leading users to mistakenly believe that Bitcoin Core had no vulnerabilities—a perception both dangerous and inaccurate. The new policy classifies vulnerabilities into four severity levels and provides a standardized disclosure process to encourage researchers to discover and responsibly disclose vulnerabilities. Low, medium, and high-severity vulnerabilities will be disclosed two weeks after the release of the patched version, while critical vulnerabilities will be disclosed on a case-by-case basis. All vulnerabilities for Bitcoin Core versions 0.21.0 and earlier were disclosed on July 3, with disclosures for versions 0.22.0 and 0.23.0 scheduled for this month and August respectively. The latest version is 27.1. Developer Eric Voskuil praised the new policy.




