The Ethereum Foundation Bug Bounty Program is 1 of the earliest and longest moving programs of its kind. It was launched successful 2015 and targeted the Ethereum PoW mainnet and related software. In 2020, a 2nd Bug Bounty Program for the caller Proof-of-Stake Consensus Layer was launched, moving alongside the archetypal Bug Bounty Program.

The divided of these programs is historical owed to the mode the Proof-of-Stake Consensus Layer was architected separately and successful parallel to the existing Execution Layer (inside the PoW chain). Since the motorboat of the Beacon Chain successful December of 2020, the method architecture betwixt the Execution Layer and the Consensus Layer has been distinct, but for the deposit contract, truthful the 2 bug bounty programs person remained separated.

In airy of the coming Merge, contiguous we are blessed to denote that these 2 programs person been successfully merged by the awesome ethereum.org team, and that the max bounty reward has been substantially increased!

Merge (of the Bug Bounty Programs) ✨

With The Merge approaching, the 2 antecedently disparate bug bounty programs person been merged into one.

As the Execution Layer and Consensus Layer go much and much interconnected, it is progressively invaluable to harvester the information efforts of these layers. There are already aggregate efforts being organized by lawsuit teams and the assemblage to further summation cognition and expertise crossed the 2 layers. Unifying the Bounty Program volition further summation visibility and coordination efforts connected identifying and mitigating vulnerabilities.

Increased Rewards 💰

The max reward of the Bounty Program is present $250,000 (paid retired successful ETH oregon DAI) for vulnerabilities successful scope. Upgrades unrecorded connected nationalist testnets and targeted for a Mainnet merchandise are besides scope, and rewards are doubled during this time, which means that the max reward is $500,000 during these periods!

In total, this marks a 10x increase from the erstwhile maximum payout connected Consensus Layer bounties and a 20x increase from the erstwhile max payout connected Execution Layer bounties.

Impact Measurement 💥

The Bug Bounty Program is chiefly focused connected securing the basal furniture of the Ethereum Network. With this successful mind, the interaction of a vulnerability is successful nonstop correlation to the interaction connected the web arsenic a whole.

While, for example, a Denial of Service vulnerability recovered successful a lawsuit being utilized by <1% of the web would surely origin issues for the users of this client, it would person a higher interaction connected the Ethereum Network if the aforesaid vulnerability existed successful a lawsuit utilized by >30% of the network.

Visibility 👀

In summation to the merge of the bounty programs and summation of the max reward, aggregate steps person been taken to clarify however to study vulnerabilities.

Github Security

Repositories specified arsenic ethereum/consensus-specs and ethereum/go-ethereum present incorporate accusation connected however to study vulnerabilities successful SECURITY.md files.

security.txt

security.txt is implemented and contains accusation astir however to study vulnerabilities. The record itself can beryllium recovered here.

DNS Security TXT

DNS Security TXT is implemented and contains accusation astir however to study vulnerabilities. This introduction tin beryllium viewed by moving excavation _security.ethereum.org TXT.

How tin you get started? 🔨

With 9 antithetic clients written successful assorted languages, Solidity, the Specifications, and the deposit astute declaration each wrong the scope of the bounty program, determination is simply a plentifulness for bounty hunters to excavation into.

If you’re looking for immoderate ideas of wherever to commencement your bug hunting journey, instrumentality a look astatine the previously reported vulnerabilities. This was past updated successful March and contains each the reported vulnerabilities we person connected record, up until the Altair web upgrade.

We’re looking guardant to your reports! 🐛