Merge Bug Bounty 4x Bonus (until 8th of September!)
All Merge-related bounties for vulnerabilities have received a 4x multiplier between now and the 8th of September
up to 1M
10 months ago
about the program
All Merge-related bounties for vulnerabilities have received a 4x multiplier between now and the 8th of September.
Critical bugs are now worth up to $1 million USD.
Earn up to $250,000 USD (up to $1 million between now and the 8th of September) and a place on the leaderboard by finding protocol, client and Solidity bugs affecting the Ethereum network.
Our bug bounty program spans end-to-end: from soundness of protocols (such as the blockchain consensus model, the wire and p2p protocols, proof of work, proof of stake, etc) and protocol/implementation compliance to network security and consensus integrity. Classical client security as well as security of cryptographic primitives are also part of the program. When in doubt, send an email to firstname.lastname@example.org and ask us.
1/ Specification bugs:
- Safety/finality-breaking bugs
- Denial of service (DOS) vectors
- Inconsistencies in assumptions, like situations where honest validators can be slashed
- Calculation or parameter inconsistencies
2/ Client bugs:
- Spec non-compliance issues
- Unexpected crashes, RCE or denial of service (DOS) vulnerabilities
- Any issues causing irreparable consensus splits from the rest of the network
3/ Solidity bugs
4/ Deposit Contract bugs
Out of scope
Only the targets listed under in-scope are part of the Bug Bounty Program. This means that for example our infrastructure; such as webpages, dns, email etc, are not part of the bounty-scope. ERC20 contract bugs are typically not included in the bounty scope. However, we can help reach out to affected parties, such as authors or exchanges in such cases. ENS is maintained by the ENS foundation, and is not part of the bounty scope.
Submitting a bug
For each valid bug you find you’ll earn rewards. The quantity of rewards awarded will vary depending on Severity. The severity is calculated according to the OWASP risk rating model based on Impact on the Ethereum Network and Likelihood.
The EF will also provide rewards based on:
- Quality of description: Higher rewards are paid for clear, well-written submissions.
- Quality of reproducibility: A Proof of Concept (POC) must be included to be eligible for rewards. Please include test code, scripts and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward.
- Quality of fix, if included: Higher rewards are paid for submissions with clear description of how to fix the issue.