The Ethereum Foundation Bug Bounty Initiative is among the pioneering and longest-operating programs of its nature. It commenced in 2015, focusing on the Ethereum PoW mainnet and associated software. In 2020, a second Bug Bounty Initiative for the new Proof-of-Stake Consensus Layer was initiated, running concurrently with the initial Bug Bounty Initiative.
The division of these initiatives is significant due to the manner in which the Proof-of-Stake Consensus Layer was designed independently and in parallel to the existing Execution Layer (within the PoW chain). Following the launch of the Beacon Chain in December 2020, the technical architecture between the Execution Layer and the Consensus Layer has been separate, except for the deposit contract, resulting in the two bug bounty initiatives remaining distinct.
In anticipation of the upcoming Merge, we are excited to announce that these two initiatives have been effectively combined by the fantastic ethereum.org team, and that the maximum bounty reward has been significantly enhanced!
Consolidation (of the Bug Bounty Initiatives) ✨
With The Merge forthcoming, the two previously separate bug bounty initiatives have been unified into a single one.
As the Execution Layer and Consensus Layer become increasingly interconnected, it becomes more valuable to amalgamate the security efforts of these layers. Numerous initiatives are already being organized by client teams and the community to enhance knowledge and expertise across the two layers. Uniting the Bounty Initiative will further boost visibility and coordination efforts in identifying and addressing vulnerabilities.
Enhanced Rewards 💰
The maximum reward of the Bounty Initiative is now 250,000(paidoutinETHorDAI)forvulnerabilitiesinscope.UpgradesliveonpublictestnetsandtargetedforaMainnetreleasearealsoscope,andrewardsaredoubledduringthistime,whichmeansthatthemaxrewardis250,000 (paid out in ETH or DAI) for vulnerabilities in scope. Upgrades live on public testnets and targeted for a Mainnet release are also scope, and rewards are doubled during this time, which means that the max reward is 500,000 during these intervals!
Altogether, this signifies a 10x escalation from the earlier highest remuneration on Consensus Layer incentives and a 20x escalation from the previous peak remuneration on Execution Layer incentives.
Impact Assessment 💥
The Bug Bounty Program is fundamentally centered around fortifying the base layer of the Ethereum Network. In this context, the repercussions of a vulnerability are directly linked to the influence on the network as a whole.
For instance, a Denial of Service vulnerability identified in a client utilized by 30% of the network.
Visibility 👀
Apart from the unification of the bounty schemes and the enhancement of the maximum reward, several measures have been adopted to elucidate how to report vulnerabilities.
Github Security
Repositories such as ethereum/consensus-specs and ethereum/go-ethereum now include details on how to report vulnerabilities in SECURITY.md files.
security.txt
security.txt is in place and contains information on how to report vulnerabilities. The file itself can be accessed here.
DNS Security TXT
DNS Security TXT has been implemented and contains details on how to report vulnerabilities. This entry can be examined by executing dig _security.ethereum.org TXT.
How can you begin? 🔨
With nine distinct clients developed in various programming languages, Solidity, the Specifications, and the deposit smart contract all within the ambit of the bounty program, there is ample opportunity for bounty hunters to explore.
If you’re seeking inspiration on where to commence your bug hunting venture, check out the previously reported vulnerabilities. This was last refreshed in March and encompasses all the documented vulnerabilities we have on file, up until the Altair network upgrade.
We’re eager to receive your reports! 🐛