The Ethereum Foundation has been running a Bug Bounty program since 2015, focusing on its PoW mainnet and related software. Last year, a second Bug Bounty Program was introduced to support the new proof-of-stake consensus layer. This ran alongside the original Bug Bounty program.
The split of these programs was historically significant due to the fact that the proof-of-Stake consensus layer was developed separately and parallel to existing execution layers (within PoW chains). This changed with the launch of the Beacon Chain in December 2020, and with the exception of the deposit contract, the technical architecture between consensus and execution layers is now different. That is why the two bug bounty programs remained separate.
In light of the upcoming merger, the Ethereum Foundation is happy to announce that both of these programs have been successfully completed. Thanks to the incredible team at Ethereum.org, the maximum bounty has been increased significantly.
Merging (of Bug Bounty programs) ✨
The two bug bounty programs that were previously incompatible have been merged into one. As the execution layer and consensus layer become increasingly interconnected, it has been deemed more valuable to combine their security efforts. Several communities and teams are coordinating multiple initiatives to expand knowledge and expertise in both layers, and unifying the Bounty Program will increase visibility and coordination in identifying and mitigating vulnerabilities.
Increased Reward Program💰
The maximum reward for the Bug Bounty Program is now $250,000, paid in ETH or DAI for identified vulnerabilities within the scope. Live updates on public testnets, targeting and other information for mainnet release is also possible. During these periods, the maximum reward is $500,000.
Altogether, this is a 10x magnification of the previous maximum payout in the consensus layer, and a 20x magnification of the previous maximum payout in the execution layer.
Impact Measuring💥
The Bug Bounty Program is principally focused on protecting the base layers of the Ethereum network. That is why the impact of any discovered vulnerability on the network as a whole is taken into account. For instance, a denial of service vulnerability found on a client used by less than 1% of the network users may not have much effect, but will have a greater impact on the Ethereum network if the vulnerability is present on a client used by more than 30% of the network.
Visibility👀
A number of steps have been taken to clarify how to report vulnerabilities. Repositories like ethereum/consensus-specs and ethereum/go-ethereum now contain information about how to report vulnerabilities in the SECURITY.md file. Additionally, security.txt contains instructions on how to report vulnerabilities and is also being implemented. You can find it here. DNS Security Text also contains instructions on how to report vulnerabilities and is being implemented. You can see the entry by running the command dig _security.ethereum.org TXT in your terminal.
How do you get started? 🔨
With nine different clients in multiple languages and Solidity, bounty hunters have plenty to explore. If you are looking for ideas about where to begin your bug hunting journey, check out the previously reported vulnerabilities. This was last updated in March and contains all known vulnerabilities up to the Altair Network update.
We look forward to reading your reports. 🐛