Domains
About the Bounty
Overview
The Ethereum Foundation Bug Bounty Program rewards security researchers who discover and responsibly disclose vulnerabilities affecting the Ethereum network. The program covers protocol specifications, client implementations, language compilers, the deposit contract, and critical dependencies. The maximum payout has recently been increased from $250,000 to $1,000,000 USD for critical-severity bugs, reflecting the growing importance of securing the network.
Key Details
- Reward: Up to $2,000 (Low), up to $10,000 (Medium), up to $50,000 (High), up to $1,000,000 (Critical)
- Payout Method: ETH or DAI
Scope
- Specification Bugs: Consensus layer and execution layer spec issues including safety/finality-breaking bugs, DOS vectors, and parameter inconsistencies
- Client Bugs: Execution layer clients (Besu, Erigon, Geth, Nethermind, Reth) and consensus layer clients (Lighthouse, Lodestar, Nimbus, Teku, Prysm, Grandine) — covering spec non-compliance, crashes, RCE, DOS, and consensus split issues
- Language Compiler Bugs: Solidity and Vyper compiler vulnerabilities
- Deposit Contract Bugs: Beacon Chain Deposit Contract specification and source code
- Dependency Bugs: C-KZG-4844 and Go-KZG-4844
Out of Scope
Infrastructure bugs (webpages, DNS, email), ERC-20 contract bugs, ENS bugs, publicly exposed API vulnerabilities, typographical errors, publicly known issues, and anything without direct impact on Ethereum mainnet.
Rules
The bug bounty program is an experimental and discretionary rewards program for our active Ethereum community to encourage and reward those who are helping to improve the platform. It is not a competition. You should know that we can cancel the program at any time, and awards are at the sole discretion of Ethereum Foundation bug bounty panel. In addition, we are not able to issue awards to individuals who are on sanctions lists or who are in countries on sanctions lists (e.g., North Korea, Iran, etc). Local laws require us to ask for proof of your identity. You are responsible for all taxes. All awards are subject to applicable law. Finally, your testing must not violate any law or compromise any data that is not yours and must take place on local running testnets.
- Issues without a POC or that have already been submitted by another user or are already known to spec and client maintainers are not eligible for bounty rewards.
- Public disclosure of a vulnerability or reporting it to other parties without prior agreement makes it ineligible for a bounty.
- Employees and contractors of the Ethereum Foundation, Ethereum Foundation grantees, or client teams in scope of the bounty program may participate in the program only in the accrual of points and will not receive monetary rewards.
- Ethereum bounty program considers a number of variables in determining rewards. Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the Ethereum Foundation bug bounty panel.
How to Participate
- Identify a vulnerability within the in-scope targets
- Submit your finding through the official bug submission form
- Allow a few days for the bounty panel to review and respond
Resources
About the Company
View details
The Ethereum Foundation (EF) is a non-profit organization that stewards the Ethereum ecosystem, supporting its growth, resilience, and long-term sustainability without seeking to control it.
Ethereum Bug Bounty Program
Domains
Overview
The Ethereum Foundation Bug Bounty Program rewards security researchers who discover and responsibly disclose vulnerabilities affecting the Ethereum network. The program covers protocol specifications, client implementations, language compilers, the deposit contract, and critical dependencies. The maximum payout has recently been increased from $250,000 to $1,000,000 USD for critical-severity bugs, reflecting the growing importance of securing the network.
Key Details
- Reward: Up to $2,000 (Low), up to $10,000 (Medium), up to $50,000 (High), up to $1,000,000 (Critical)
- Payout Method: ETH or DAI
Scope
- Specification Bugs: Consensus layer and execution layer spec issues including safety/finality-breaking bugs, DOS vectors, and parameter inconsistencies
- Client Bugs: Execution layer clients (Besu, Erigon, Geth, Nethermind, Reth) and consensus layer clients (Lighthouse, Lodestar, Nimbus, Teku, Prysm, Grandine) — covering spec non-compliance, crashes, RCE, DOS, and consensus split issues
- Language Compiler Bugs: Solidity and Vyper compiler vulnerabilities
- Deposit Contract Bugs: Beacon Chain Deposit Contract specification and source code
- Dependency Bugs: C-KZG-4844 and Go-KZG-4844
Out of Scope
Infrastructure bugs (webpages, DNS, email), ERC-20 contract bugs, ENS bugs, publicly exposed API vulnerabilities, typographical errors, publicly known issues, and anything without direct impact on Ethereum mainnet.
Rules
The bug bounty program is an experimental and discretionary rewards program for our active Ethereum community to encourage and reward those who are helping to improve the platform. It is not a competition. You should know that we can cancel the program at any time, and awards are at the sole discretion of Ethereum Foundation bug bounty panel. In addition, we are not able to issue awards to individuals who are on sanctions lists or who are in countries on sanctions lists (e.g., North Korea, Iran, etc). Local laws require us to ask for proof of your identity. You are responsible for all taxes. All awards are subject to applicable law. Finally, your testing must not violate any law or compromise any data that is not yours and must take place on local running testnets.
- Issues without a POC or that have already been submitted by another user or are already known to spec and client maintainers are not eligible for bounty rewards.
- Public disclosure of a vulnerability or reporting it to other parties without prior agreement makes it ineligible for a bounty.
- Employees and contractors of the Ethereum Foundation, Ethereum Foundation grantees, or client teams in scope of the bounty program may participate in the program only in the accrual of points and will not receive monetary rewards.
- Ethereum bounty program considers a number of variables in determining rewards. Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the Ethereum Foundation bug bounty panel.
How to Participate
- Identify a vulnerability within the in-scope targets
- Submit your finding through the official bug submission form
- Allow a few days for the bounty panel to review and respond