Author: Sergio Demian Lerner 2017-09-12 04:49:34
Published on: 2017-09-12T04:49:34+00:00
There is a general policy in Bitcoin where vulnerabilities are only published after >80% of nodes have upgraded. Critical vulnerabilities, such as remote code executions, will be patched immediately without disclosing the problem and all participants will be notified as soon as possible. Non-critical vulnerabilities may require a wait of years before publication, depending on whether miners can exploit them or if they require vast resources to pull. This policy has proven to work in protecting Bitcoiners and is not tied to loyalty to Bitcoin Core. Researchers may sometimes find that their investigations have already been reported, and this policy also means that they cannot report to alt-coins which have different policies.In a discussion among developers on the bitcoin-dev mailing list, concerns were raised about how to disclose vulnerabilities to altcoin developers who may not be trustworthy. It was suggested that a small group of trustworthy altcoin developers could be identified, but if this was not possible, it would still be better to eventually disclose publicly than keep the vulnerability unrevealed. It was also argued that good security for Bitcoin is not solely defined by constant upgrading, but rather by knowing that the definition of money has not changed. Efforts into backporting fixes/workarounds and contributing to patches could help both altcoins and Bitcoin investors/traders.
Updated on: 2023-06-12T18:41:53.634955+00:00