Secured #4: Bug Bounty Rewards now as much as $250,000 USD

The Ethereum Basis Bug Bounty Program is likely one of the earliest and longest operating applications of its variety. It was launched in 2015 and focused the Ethereum PoW mainnet and associated software program. In 2020, a second Bug Bounty Program for the brand new Proof-of-Stake Consensus Layer was launched, operating alongside the unique Bug Bounty Program.

The cut up of those applications is historic as a result of method the Proof-of-Stake Consensus Layer was architected individually and in parallel to the present Execution Layer (contained in the PoW chain). For the reason that launch of the Beacon Chain in December of 2020, the technical structure between the Execution Layer and the Consensus Layer has been distinct, apart from the deposit contract, so the 2 bug bounty applications have remained separated.

In gentle of the approaching Merge, immediately we’re pleased to announce that these two applications have been efficiently merged by the superior workforce, and that the max bounty reward has been considerably elevated!

Merge (of the Bug Bounty Applications) ✨

With The Merge approaching, the 2 beforehand disparate bug bounty applications have been merged into one.

Because the Execution Layer and Consensus Layer grow to be increasingly more interconnected, it’s more and more helpful to mix the safety efforts of those layers. There are already a number of efforts being organized by consumer groups and the neighborhood to additional improve information and experience throughout the 2 layers. Unifying the Bounty Program will additional improve visibility and coordination efforts on figuring out and mitigating vulnerabilities.

Elevated Rewards 💰

The max reward of the Bounty Program is now 250,000(paidoutinETHorDAI)forvulnerabilitiesinscope.UpgradesliveonpublictestnetsandtargetedforaMainnetreleasearealsoscope,andrewardsaredoubledduringthistime,whichmeansthatthemaxrewardis250,000 (paid out in ETH or DAI) for vulnerabilities in scope. Upgrades dwell on public testnets and focused for a Mainnet launch are additionally scope, and rewards are doubled throughout this time, which implies that the max reward is

In whole, this marks a 10x improve from the earlier most payout on Consensus Layer bounties and a 20x improve from the earlier max payout on Execution Layer bounties.

Impression Measurement 💥

The Bug Bounty Program is primarily targeted on securing the bottom layer of the Ethereum Community. With this in thoughts, the impression of a vulnerability is in direct correlation to the impression on the community as a complete.

Whereas, for instance, a Denial of Service vulnerability present in a consumer being utilized by <1% of the community would definitely trigger points for the customers of this consumer, it might have the next impression on the Ethereum Community if the identical vulnerability existed in a consumer utilized by >30% of the community.

Visibility 👀

Along with the merge of the bounty applications and improve of the max reward, a number of steps have been taken to make clear find out how to report vulnerabilities.

Github Safety

Repositories reminiscent of ethereum/consensus-specs and ethereum/go-ethereum now comprise data on find out how to report vulnerabilities in information.


safety.txt is carried out and incorporates details about find out how to report vulnerabilities. The file itself could be discovered right here.

DNS Safety TXT

DNS Safety TXT is carried out and incorporates details about find out how to report vulnerabilities. This entry could be considered by operating dig TXT.

How will you get began? 🔨

With 9 completely different purchasers written in varied languages, Solidity, the Specs, and the deposit good contract all inside the scope of the bounty program, there’s a a lot for bounty hunters to dig into.

If you happen to’re searching for some concepts of the place to begin your bug looking journey, check out the beforehand reported vulnerabilities. This was final up to date in March and incorporates all of the reported vulnerabilities we now have on report, up till the Altair community improve.

We’re trying ahead to your reviews! 🐛

Supply hyperlink