The Ethereum Basis Bug Bounty Program is likely one of the earliest and longest operating applications of its variety. It was launched in 2015 and focused the Ethereum PoW mainnet and associated software program. In 2020, a second Bug Bounty Program for the brand new Proof-of-Stake Consensus Layer was launched, operating alongside the unique Bug Bounty Program.
The cut up of those applications is historic due to the best way the Proof-of-Stake Consensus Layer was architected individually and in parallel to the present Execution Layer (contained in the PoW chain). Because the launch of the Beacon Chain in December of 2020, the technical structure between the Execution Layer and the Consensus Layer has been distinct, aside from the deposit contract, so the 2 bug bounty applications have remained separated.
In mild of the approaching Merge, at the moment we’re completely satisfied to announce that these two applications have been efficiently merged by the superior ethereum.org workforce, and that the max bounty reward has been considerably elevated!
Merge (of the Bug Bounty Packages) ✨
With The Merge approaching, the 2 beforehand disparate bug bounty applications have been merged into one.
Because the Execution Layer and Consensus Layer turn out to be increasingly interconnected, it’s more and more worthwhile to mix the safety efforts of those layers. There are already a number of efforts being organized by shopper groups and the group to additional enhance information and experience throughout the 2 layers. Unifying the Bounty Program will additional enhance visibility and coordination efforts on figuring out and mitigating vulnerabilities.
Elevated Rewards 💰
The max reward of the Bounty Program is now 500,000 throughout these intervals!
In whole, this marks a 10x enhance from the earlier most payout on Consensus Layer bounties and a 20x enhance from the earlier max payout on Execution Layer bounties.
Affect Measurement 💥
The Bug Bounty Program is primarily targeted on securing the bottom layer of the Ethereum Community. With this in thoughts, the affect of a vulnerability is in direct correlation to the affect on the community as a complete.
Whereas, for instance, a Denial of Service vulnerability present in a shopper being utilized by <1% of the community would definitely trigger points for the customers of this shopper, it could have a better affect on the Ethereum Community if the identical vulnerability existed in a shopper utilized by >30% of the community.
Visibility 👀
As well as to the merge of the bounty applications and enhance of the max reward, a number of steps have been taken to make clear how to report vulnerabilities.
Github Safety
Repositories reminiscent of ethereum/consensus-specs and ethereum/go-ethereum now comprise info on how to report vulnerabilities in SECURITY.md recordsdata.
safety.txt
security.txt is carried out and comprises details about how to report vulnerabilities. The file itself can be found here.
DNS Safety TXT
DNS Security TXT is carried out and comprises details about how to report vulnerabilities. This entry will be seen by operating dig _security.ethereum.org TXT.
How will you get began? 🔨
With 9 totally different shoppers written in numerous languages, Solidity, the Specs, and the deposit good contract all inside the scope of the bounty program, there’s a lots for bounty hunters to dig into.
For those who’re searching for some concepts of the place to begin your bug looking journey, check out the beforehand reported vulnerabilities. This was final up to date in March and comprises all of the reported vulnerabilities we now have on file, up till the Altair community improve.
We’re trying ahead to your experiences! 🐛
