The Eth2 Bounty Program provides bounties for Eth2 (a major upgrade to Ethereum's core consensus) bugs. We call on our community and all bug bounty hunters to help identify bugs in the protocols and clients. Earn rewards for finding a vulnerability and get a place on our leaderboard. Note that this bounty program doesn't cover Eth 1.x; that program can be found here
See Rules & Rewards section below for more details.
Please have a look at the bullets below before starting your hunt!
The value of rewards paid out will vary depending on Severity. The severity is calculated according to the OWASP risk rating model based on Impact and Likelihood :
Reward sizes are guided by the rules below, but are in the end, determined at the sole discretion of the Ethereum Foundation bug bounty panel.
1 point currently corresponds to 2 USD (payable in ETH or DAI), something which may change without prior notice.
Beyond monetary rewards, every bounty is also eligible for listing on our leaderboard with points accumulating over the course of the program.
In addition to Severity, other variables are also considered when the Ethereum Foundation bug bounty panel decides the score, including (but not limited to):
Important Legal Information
The bug bounty program is an experimental and discretionary rewards program for our active Ethereum community to encourage and reward those who are helping to improve the platform. It is not a competition. You should know that we can cancel the program at any time, and awards are at the sole discretion of Ethereum Foundation bug bounty panel. In addition, we are not able to issue awards to individuals who are on sanctions lists or who are in countries on sanctions lists (e.g. North Korea, Iran, etc). You are responsible for all taxes. All awards are subject to applicable law. Finally, your testing must not violate any law or compromise any data that is not yours.
This bug bounty program is focused on finding bugs in the core Eth2 Phase 0 spec and the following client implementations:
The program is intended to span from soundness of protocols to implementation. We go into more specifics below, but if you have any questions about the scope, send an e-mail to email@example.com and ask us.
The phase 0 spec consists of the following elements:
Some examples of things we’re looking for:
As stated above, only prysm, lighthouse, and teku bugs are currently eligible for this bounty. More clients will be added as they complete audits and become production ready.
Some examples of things we’re looking for:
The phase 1 and phase 2 spec are still in active development and so are not yet included as part of this bounty program.
Clients other than those mentioned above aren’t considered yet either. Pending successful audits, Nimbus and Lodestar will be added to the program.
Please use the following structure to aid in prompt review:
Description: High-level description of the bug [1 sentence]
Attack scenario: More detailed description of the attack/bug scenario and unexpected/buggy behaviour [1 to 3 sentences]
Impact: Describe the effect this may have in a production setting [1 to 2 sentences]
Components: Point to the files, functions, and/or specific line numbers where the bug occurs [1 to 2 sentences]
Reproduction: If used any sort of tools/simulations to find the bug, describe in detail how to reproduce the buggy behaviour. Showcasing the bug using the python spec and associated test infrastructure found in the spec repo is preferred!
Details: Very specific details about the bug. What state must the system be in, what types of messages must be included and in which order, etc
Fix: Description of suggested fix if available
No end date is currently set. See the “News & Updates” section above, and the Ethereum blog for the latest news.
Rewards are paid out in ETH or DAI after the submission has been validated, usually a few days later. Local laws require us to ask for proof of your identity. In addition, we will need your ETH address.
Yes. We can donate your reward to an established charitable organization of your choice.
We aim to respond to submissions as fast as possible. Feel free to email us if you have not received a response within a day or two.
Yes, please let us know if you do not want your name/nick displayed on the leaderboard.
Every found vulnerability / issue is assigned a score. Bounty hunters are ranked on our leaderboard by total points.
Email us at firstname.lastname@example.org.