Security Advisories


This page summarizes policies in relation to disclosing vulnerabilities in Bitcoin Core, as well as provides a summary of historical Security Advisories.


When reported, a vulnerability will be assigned a severity category. We differentiate between 4 classes of vulnerabilities:

  • Low: bugs which are hard to exploit or have a low impact. For instance a wallet bug which requires access to the victim’s machine.

  • Medium: bugs with limited impact. For instance a local network remote crash.

  • High: bugs with significant impact. For instance a remote crash, or a local network RCE.

  • Critical: bugs which threaten the whole network’s integrity. For instance an inflation or coin theft bug.

Low severity bugs will be disclosed 2 weeks after a fixed version is released. A pre-announcement will be made at the same time as the release.

Medium and High severity bugs will be disclosed 2 weeks after the last affected release goes EOL. This is a year after a fixed version was first released. A pre-announcement will be made 2 weeks prior to disclosure.

Critical bugs are not considered in the standard policy, as they would most likely require an ad-hoc procedure. Also, a bug may not be considered a vulnerability at all. Any reported issue may also be considered serious, yet not require embargo.

Past Security Advisories

Disclosure of CVE-2020-14198

Nodes could be subject to CPU and memory DoS when attacked by lots of distinct IPs. A fix was released on August 1st, 2020 in Bitcoin Core 0.20.1.

Disclosure of CVE-2015-3641

Attackers sending large incomplete messages would cause high memory usage. A fix was released on April 27th, 2015 in Bitcoin Core 0.10.1.

Disclosure of CVE-2017-18350

Nodes were potentially vulnerable to a buffer overflow by malicious SOCKS servers. A fix was released on November 6th, 2017 in Bitcoin Core version 0.15.1.

Disclosure of CVE-2018-17144

Bitcoin Core was vulnerable to a DoS and inflation attack. A fix was released on September 18th, 2018 in Bitcoin Core versions 0.16.3 and 0.17.0rc4.