Secured #4: Bug Bounty Rewards now up to $250,000 USD

The Evolution of Ethereum's Bug Bounty Program: A 10x Increase in Rewards and a Unified Front Against Vulnerabilities

In a significant move, the Ethereum Foundation has merged its two bug bounty programs, increasing the maximum reward for vulnerabilities in scope to $250,000 USD. This substantial increase, which marks a 10x jump from the previous maximum payout on Consensus Layer bounties and a 20x increase from the previous max payout on Execution Layer bounties, is a testament to the growing importance of securing the Ethereum Network.

A Brief History of the Bug Bounty Program

Launched in 2015, the Ethereum Foundation's Bug Bounty Program was one of the earliest and longest-running programs of its kind. Initially targeting the Ethereum PoW mainnet and related software, the program has undergone significant changes over the years. In 2020, a second Bug Bounty Program was launched for the new Proof-of-Stake Consensus Layer, running alongside the original program. This split was historic, as the Proof-of-Stake Consensus Layer was architected separately and in parallel to the existing Execution Layer.

The Merge: A Unified Front Against Vulnerabilities

With the upcoming Merge, the two previously disparate bug bounty programs have been merged into one. This move is a significant step towards increasing visibility and coordination efforts on identifying and mitigating vulnerabilities. As the Execution Layer and Consensus Layer become more interconnected, it is increasingly valuable to combine the security efforts of these layers. Multiple efforts are already being organized by client teams and the community to further increase knowledge and expertise across the two layers.

Increased Rewards: A 10x Increase in Maximum Payout

The maximum reward for vulnerabilities in scope has been increased to $250,000 USD, paid out in ETH or DAI. Upgrades live on public testnets and targeted for a Mainnet release are also in scope, and rewards are doubled during these periods, taking the maximum reward to $500,000. This significant increase in rewards is a testament to the growing importance of securing the Ethereum Network.

Impact Measurement: A Direct Correlation to Network Impact

The Bug Bounty Program is primarily focused on securing the base layer of the Ethereum Network. With this in mind, the impact of a vulnerability is in direct correlation to the impact on the network as a whole. While a Denial of Service vulnerability found in a client being used by a small percentage of the network would certainly cause issues for the users of this client, it would have a higher impact on the Ethereum Network if the same vulnerability existed in a client used by a larger percentage of the network.

Visibility: Clarifying How to Report Vulnerabilities

In addition to the merge of the bounty programs and increase of the maximum reward, multiple steps have been taken to clarify how to report vulnerabilities. Repositories such as ethereum/consensus-specs and ethereum/go-ethereum now contain information on how to report vulnerabilities in SECURITY.md files. security.txt is implemented and contains information about how to report vulnerabilities. DNS Security TXT is also implemented and contains information about how to report vulnerabilities.

Getting Started: A Bounty Hunter's Guide

With nine different clients written in various languages, Solidity, the Specifications, and the deposit smart contract all within the scope of the bounty program, there is plenty for bounty hunters to dig into. If you're looking for some ideas of where to start your bug hunting journey, take a look at the previously reported vulnerabilities. This was last updated in March and contains all the reported vulnerabilities we have on record, up until the Altair network upgrade.

Conclusion

The evolution of the Ethereum Foundation's Bug Bounty Program is a significant step towards securing the Ethereum Network. With a 10x increase in maximum rewards and a unified front against vulnerabilities, the program is better equipped to identify and mitigate vulnerabilities. As the Execution Layer and Consensus Layer become more interconnected, it is increasingly valuable to combine the security efforts of these layers. Multiple efforts are already being organized by client teams and the community to further increase knowledge and expertise across the two layers. We look forward to seeing the impact of this significant move on the Ethereum Network.

Source: https://blog.ethereum.org/en/2022/05/16/secured-no-4