ETH2 Bounty Program

The Eth2 Bounty Program provides bounties for Eth2 (a major upgrade to Ethereum's core consensus) bugs. We call on our community and all bug bounty hunters to help identify bugs in the protocols and clients. Earn rewards for finding a vulnerability and get a place on our leaderboard. Note that this bounty program doesn't cover Eth 1.x; that program can be found here

See Rules & Rewards section below for more details.

Leaderboard

No entries yet. Be the first and submit a vulnerability here!

News & Updates

Stay tuned!

RULES & REWARDS

Please have a look at the bullets below before starting your hunt!

  • Issues that have already been submitted by another user or are already known to spec and client maintainers are not eligible for bounty rewards.
  • Public disclosure of a vulnerability makes it ineligible for a bounty.
  • Ethereum Foundation researchers and employees of Eth2 client teams are not eligible for rewards.
  • Ethereum bounty program considers a number of variables in determining rewards. Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the Ethereum Foundation bug bounty panel.

The value of rewards paid out will vary depending on Severity. The severity is calculated according to the OWASP risk rating model based on Impact and Likelihood :

severity

Reward sizes are guided by the rules below, but are in the end, determined at the sole discretion of the Ethereum Foundation bug bounty panel.

  • Critical: up to 25 000 points
  • High: up to 10 000 points
  • Medium: up to 5 000 points
  • Low: up to 1 000 points

1 point currently corresponds to 2 USD (payable in ETH or DAI), something which may change without prior notice.

Beyond monetary rewards, every bounty is also eligible for listing on our leaderboard with points accumulating over the course of the program.

In addition to Severity, other variables are also considered when the Ethereum Foundation bug bounty panel decides the score, including (but not limited to):

  • Quality of description. Higher rewards are paid for clear, well-written submissions.
  • Quality of reproducibility. Please include test code, scripts and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward.
  • Quality of fix, if included. Higher rewards are paid for submissions with clear description of how to fix the issue.

Important Legal Information

The bug bounty program is an experimental and discretionary rewards program for our active Ethereum community to encourage and reward those who are helping to improve the platform. It is not a competition. You should know that we can cancel the program at any time, and awards are at the sole discretion of Ethereum Foundation bug bounty panel. In addition, we are not able to issue awards to individuals who are on sanctions lists or who are in countries on sanctions lists (e.g. North Korea, Iran, etc). You are responsible for all taxes. All awards are subject to applicable law. Finally, your testing must not violate any law or compromise any data that is not yours.

BOUNTY SCOPE

This bug bounty program is focused on finding bugs in the core Eth2 Phase 0 spec and the following client implementations:

The program is intended to span from soundness of protocols to implementation. We go into more specifics below, but if you have any questions about the scope, send an e-mail to bounty@ethereum.org and ask us.

Phase 0 spec

The phase 0 spec consists of the following elements:

Some examples of things we’re looking for:

  • safety/finality-breaking bugs
  • DoS vectors
  • inconsistencies in assumptions, i.e. situations where honest validators can be slashed
  • calculation or parameter inconsistencies

For more context on the spec, check out Ben Edgington’s and Vitalik Buterin’s annotated versions.

Client implementations

As stated above, only prysm, lighthouse, and teku bugs are currently eligible for this bounty. More clients will be added as they complete audits and become production ready.

Some examples of things we’re looking for:

  • spec non-compliance issues
  • unexpected crashes or DoS vulnerabilities
  • any issues causing irreparable consensus splits from the rest of the network

What’s not included?

The phase 1 and phase 2 spec are still in active development and so are not yet included as part of this bounty program.

Clients other than those mentioned above aren’t considered yet either. Pending successful audits, Nimbus and Lodestar will be added to the program.

FAQ

So, what should a good vulnerability submission look like?

Please use the following structure to aid in prompt review:

Description: High-level description of the bug [1 sentence]

Attack scenario: More detailed description of the attack/bug scenario and unexpected/buggy behaviour [1 to 3 sentences]

Impact: Describe the effect this may have in a production setting [1 to 2 sentences]

Components: Point to the files, functions, and/or specific line numbers where the bug occurs [1 to 2 sentences]

Reproduction: If used any sort of tools/simulations to find the bug, describe in detail how to reproduce the buggy behaviour. Showcasing the bug using the python spec and associated test infrastructure found in the spec repo is preferred!

Details: Very specific details about the bug. What state must the system be in, what types of messages must be included and in which order, etc

Fix: Description of suggested fix if available

So, the bug bounty program is time limited?

No end date is currently set. See the “News & Updates” section above, and the Ethereum blog for the latest news.

How are bounties paid out?

Rewards are paid out in ETH or DAI after the submission has been validated, usually a few days later. Local laws require us to ask for proof of your identity. In addition, we will need your ETH address.

Can I donate my reward to charity?

Yes. We can donate your reward to an established charitable organization of your choice.

I reported an issue / vulnerability but have not received a response!

We aim to respond to submissions as fast as possible. Feel free to email us if you have not received a response within a day or two.

I want to be anonymous / I do not want my name or nick on the leader board.

Yes, please let us know if you do not want your name/nick displayed on the leaderboard.

What are the points in the leaderboard?

Every found vulnerability / issue is assigned a score. Bounty hunters are ranked on our leaderboard by total points.

I have further questions.

Email us at eth2bounty@ethereum.org.