The Ethereum Foundation Bug Bounty Program is one of the earliest and longest-running programs of its kind. It was launched in 2015 and targeted the Ethereum PoW mainnet and related software. In 2020, a second bug bounty program was launched for the new proof-of-stake consensus layer, running alongside the original bug bounty program.
The division of these programs is historical due to the way the proof-of-stake consensus layer is designed separately and in parallel with the existing execution layer (inside the PoW chain). Since the launch of the Beacon Chain in December 2020, the technical architecture between the execution layer and consensus layer has been distinct except for the deposit contract, so the two bug bounty programs have remained separate.
In light of the upcoming Merge, today we are pleased to announce the successful completion of these two programs. merged Brought to you by the awesome ethereum.org team, the maximum bounty rewards have been significantly increased!
Merge (of bug bounty program) ✨
with A merger is comingTwo previously different bug bounty programs have been merged. one.
As follows execution layer and consensus layer As we become increasingly interconnected, combining the security efforts of these layers becomes increasingly important. Our client teams and communities are already working hard to further increase knowledge and expertise across both tiers. Integrating a bounty program provides greater visibility and coordination of vulnerability identification and mitigation efforts.
Increased rewards 💰
The current maximum rewards for the bounty program are: 500,000 during this period!
Overall this shows: 10x increase Previous maximum payout for Consensus Layer bounties and 20x increase From previous maximum payouts for execution tier bounties.
Impact measurement 🎉
The bug bounty program is primarily focused on protecting the base layer of the Ethereum network. With this in mind, the impact of a vulnerability is directly correlated to its impact on the network as a whole.
For example, a denial of service vulnerability discovered in a client used by less than 1% of the network will certainly cause problems for users of this client, but if the same vulnerability exists in the next environment, it will have a greater impact on the Ethereum network. A client used by more than 30% of the network.
Visibility 🙌
In addition to consolidating the bounty program and increasing maximum rewards, several steps have been taken to clarify how vulnerabilities can be reported.
Github Security
Repositories such as Ethereum/Consensus Specification and Ethereum/Gothereum We now include information on how to report vulnerabilities. security.md file.
security.txt
security.txt It has been implemented and includes information on how to report vulnerabilities. the file itself You can find it here.
DNS Security TXT
DNS Security TXT It has been implemented and includes information on how to report vulnerabilities. This item can be viewed by running: dig _security.ethereum.org TXT.
How do I get started? 🔨
With nine clients, Solidity, specifications and deposit smart contracts written in different languages within the scope of the Bounty Program, there is a lot for bounty hunters to learn more about.
If you’re looking for ideas on where to start your bug hunting journey, take a look at: Previously Reported Vulnerabilities. It was last updated in March and includes all reported vulnerabilities up to the Altair network upgrade.
We look forward to hearing from you! 🐛