The Ethereum Foundation Bug Bounty Program is one of the earliest and longest running programs of its kind. It was launched in 2015 and targeted the Ethereum PoW mainnet and related software. In 2020, a second Bug Bounty Program for the new Proof-of-Stake Consensus Layer was launched, running alongside the original Bug Bounty Program.
The split of these programs is historic due to the way the Proof-of-Stake Consensus Layer was architected separately and in parallel to the existing Execution Layer (inside the PoW chain). Since the launch of the Beacon Chain in December of 2020, the technical architecture between the Execution Layer and the Consensus Layer has been distinct, except for the deposit contract, so the two bug bounty programs have remained separated.
In light of the coming Merge, today we are happy to announce that these two programs have been successfully merged by the awesome ethereum.org team, and that the max bounty reward has been substantially increased!
Merge (of the Bug Bounty Programs) ✨
With The Merge approaching, the two previously disparate bug bounty programs have been merged into one.
As the Execution Layer and Consensus Layer become more and more interconnected, it is increasingly valuable to combine the security efforts of these layers. There are already multiple efforts being organized by client teams and the community to further increase knowledge and expertise across the two layers. Unifying the Bounty Program will further increase visibility and coordination efforts on identifying and mitigating vulnerabilities.
Increased Rewards 💰
The max reward of the Bounty Program is now $ 250,000 (paid out in ETH or DAI) for vulnerabilities in scope. Upgrades live on public testnets and targeted for a Mainnet release are also scope, and rewards are doubled during this time, which means that the max reward is $ 500,000 during these periods!
In total, this marks a 10x increase from the previous maximum payout on Consensus Layer bounties and a 20x increase from the previous max payout on Execution Layer bounties.
Impact Measurement 💥
The Bug Bounty Program is primarily focused on securing the base layer of the Ethereum Network. With this in mind, the impact of a vulnerability is in direct correlation to the impact on the network as a whole.
While, for example, a Denial of Service vulnerability found in a client being used by <1% of the network would certainly cause issues for the users of this client, it would have a higher impact on the Ethereum Network if the same vulnerability existed in a client used by> 30% of the network.
In addition to the merge of the bounty programs and increase of the max reward, multiple steps have been taken to clarify how to report vulnerabilities.
Repositories such as ethereum / consensus-specs and ethereum / go-ethereum now contain information on how to report vulnerabilities in
security.txt is implemented and contains information about how to report vulnerabilities. The file itself can be found here.
DNS Security TXT
DNS Security TXT is implemented and contains information about how to report vulnerabilities. This entry can be viewed by running
dig _security.ethereum.org TXT.
How can you get started? 🔨
With nine different clients written in various languages, Solidity, the Specifications, and the deposit smart contract all within the scope of the bounty program, there is a plenty for bounty hunters to dig into.
If you’re looking for some ideas of where to start your bug hunting journey, take a look at the previously reported vulnerabilities. This was last updated in March and contains all the reported vulnerabilities we have on record, up until the Altair network upgrade.
We’re looking forward to your reports! 🐛