The Ethereum Basis Bug Bounty Program is without doubt one of the oldest and longest working applications of its form. Launched in 2015, it focused the Ethereum PoW mainnet and associated software program. In 2020, a second bug bounty program for the brand new Proof of Stake Consensus Layer was launched, working parallel to the unique bug bounty program.
These program splits are historic because the Proof of Stake consensus layer was designed individually and in parallel with the prevailing execution layer (contained in the PoW chain). For the reason that launch of the Beacon Chain in December 2020, the technical structure between the execution layer and the consensus layer has been separate, aside from the deposit contract. As such, the 2 bug bounty applications remained separate.
In gentle of the upcoming merger, I’m happy to announce right now the success of those two applications. Merged Bounty max rewards have been enormously elevated by the superior ethereum.org workforce!
Merge (of the bug bounty program) ✨
When the merge is approachingmerging two beforehand separate bug bounty applications into one. 1.
As execution layer When consensus layer Combining these layers of safety measures is changing into more and more vital as we develop into increasingly more interconnected. A number of initiatives have already been organized by the shopper workforce and group to additional develop their data and experience throughout the 2 tiers. Integrating our bounty program additional enhances our visibility and coordination efforts round vulnerability identification and mitigation.
Elevated Rewards 💰
The bounty program most reward is at present $250,000 (paid in ETH or DAI) for in-scope vulnerabilities. Upgrades on public testnets and upgrades focused for mainnet launch are additionally eligible, and rewards will likely be doubled throughout this era. So the utmost reward throughout these durations is $500,000!
General, this 10x improve Consensus Layer bounty earlier most payout and 20x improve From the earlier most payout of the execution tier bounty.
Influence measurement 💥
The bug bounty program is primarily targeted on defending the bottom layer of the Ethereum community. With this in thoughts, the impression of vulnerabilities straight correlates with their total community impression.
For instance, if a denial of service vulnerability is present in a shopper that’s utilized by lower than 1% of the community, customers of this shopper will undoubtedly expertise issues, but when the identical vulnerability exists within the Ethereum community, It can have a better impression on the Ethereum community. Purchasers utilized by 30% or extra of the community.
Along with consolidating the bounty program and rising the utmost reward, a number of steps have been taken to make clear how vulnerabilities are reported.
repositories reminiscent of Ethereum/Consensus Specification When Ethereum/Go Ethereum now contains info on the best way to report vulnerabilities safety.md File.
safety.txt has been carried out and incorporates info on the best way to report vulnerabilities.the file itself will be discovered right here.
DNS Safety TXT
DNS Safety TXT has been carried out and incorporates info on the best way to report vulnerabilities.This entry will be seen by working dig_security.ethereum.org TXT.
How do I get began? 🔨
With 9 completely different shoppers, Solidity, specs and deposit good contracts written in numerous languages, all inside the scope of the bounty program, there’s a lot for bounty hunters to dig into.
When you’re in search of concepts on the place to begin your bug searching journey, Beforehand reported vulnerabilitiesThis was final up to date in March and contains all reported vulnerabilities recorded up till the Altair community improve.
We stay up for listening to from you! 🐛