The Ethereum Foundation’s Bug Bounty program is one of the oldest and longest-running programs of its kind. It was launched in 2015 and targeted the Ethereum PoW mainnet and associated software. In 2020, a second Bug Bounty program for the new proof-of-stake consensus layer was launched, alongside the original Bug Bounty program.
The separation of these programs is historic because of how the proof-of-stake consensus layer was architected separately and in parallel to the existing execution layer (inside the PoW chain). Since the launch of Beacon Chain in December 2020, the technical architecture between the execution layer and the consensus layer has been separate, with the exception of the deposit contract, so the two bug bounty programs have remained separate .
In light of the upcoming merger, we are pleased to announce today that both of these programs have been successfully completed. merged by the amazing team at ethereum.org, and the maximum bounty reward has been significantly increased!
Fusion (Bug Bounty programs) ✨
With The merger is approachingthe two previously disparate bug bounty programs were merged into A.
Like the Execution layer And Consensus layer become more and more interconnected, it is increasingly valuable to combine security efforts from these layers. Multiple efforts are already being organized by client teams and the community to further increase knowledge and expertise across both levels. Unifying the Bounty program will further increase visibility and coordination efforts to identify and mitigate vulnerabilities.
Increased rewards 💰
The Bounty program’s maximum reward is now 500,000 during these periods!
In total, this marks a 10x increase of the previous maximum payout on consensus layer bounties and a 20x increase of the previous maximum payout on execution layer bounties.
Impact measurement 💥
The Bug Bounty program primarily focuses on securing the base layer of the Ethereum network. With this in mind, the impact of a vulnerability directly correlates with the impact on the network as a whole.
Although, for example, a denial of service vulnerability found in a client used by <1 % du réseau causerait certainement des problèmes aux utilisateurs de ce client, elle aurait un impact plus important sur le réseau Ethereum si la même vulnérabilité existait dans un client utilisé par >30% of the network.
Visibility 👀
In addition to merging bounty programs and increasing the maximum reward, several steps have been taken to clarify how to report vulnerabilities.
GitHub Security
Repositories such as Ethereum/Consensus specifications And ethereum/go-ethereum now contain information on how to report vulnerabilities in SECURITY.md files.
security.txt
security.txt is implemented and contains information on how to report vulnerabilities. The file itself can be found here.
DNS Security SMS
DNS Security SMS is implemented and contains information on how to report vulnerabilities. This entry can be viewed by running dig _security.ethereum.org TXT.
How can you get started? 🔨
With nine different clients written in different languages, Solidity, the specifications and the deposit smart contract all under the bounty program, there is a lot for bounty hunters to explore.
If you’re looking for ideas to start your bug hunting journey, take a look at the previously reported vulnerabilities. This was last updated in March and contains all reported vulnerabilities that we have recorded, up to the Altair network upgrade.
We look forward to your reports! 🐛