Open for submissions
Clients featured in the bounties
This bug bounty program is focused on finding bugs in the core Eth2 Beacon Chain specification and the Prysm, Lighthouse, and Teku client implementations.
The beacon chain specification bugs
The beacon chain specification details the design rationale and proposed changes to Ethereum via the beacon chain upgrade.
It might be helpful to check out the following annotations:
Types of bug
- safety/finality-breaking bugs.
- denial of service (DOS) vectors
- inconsistencies in assumptions, like situations where honest validators can be slashed.
- calculation or parameter inconsistencies.
Eth2 client bugs
The clients will run the beacon chain once the upgrade has been deployed. Clients will need to follow the logic set out in the specification and be secure against potential attacks. The bugs we want to find are related to the implementation of the protocol.
Currently Lighthouse, Nimbus, Teku, and Prysm bugs are currently eligible for this bounty. More clients may be added as they complete audits and become production ready.
Types of bug
- spec non-compliance issues.
- unexpected crashes or denial of service (DOS) vulnerabilities.
- any issues causing irreparable consensus splits from the rest of the network.
The merge and shard chain upgrades are still in active development and so are not yet included as part of this bounty program.
Submit a bug
For each bug you find you’ll be rewarded points. The points you earn depend on the severity of the bug. The Ethereum Foundation (EF) determine severity using the OWASP method. View OWASP method
The EF will also award points based on:
Quality of description: Higher rewards are paid for clear, well-written submissions.
Quality of reproducibility: Please include test code, scripts and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward.
Quality of fix, if included: Higher rewards are paid for submissions with clear description of how to fix the issue.
The Ethereum Foundation will pay out the value of USD in ETH or DAI.
The Ethereum Foundation reserves the right to change this without prior notice.
Up to 2,000 DAI
- Low impact, medium likelihood
- Medium impact, low likelihood
Up to 10,000 DAI
- High impact, low likelihood
- Medium impact, medium likelihood
- Low impact, high likelihood
Up to 20,000 DAI
- High impact, medium likelihood
- Medium impact, high likelihood
Up to 50,000 DAI
- High impact, high likelihood
Bug hunting rules
The bug bounty program is an experimental and discretionary rewards program for our active Ethereum community to encourage and reward those who are helping to improve the platform. It is not a competition. You should know that we can cancel the program at any time, and awards are at the sole discretion of Ethereum Foundation bug bounty panel. In addition, we are not able to issue awards to individuals who are on sanctions lists or who are in countries on sanctions lists (e.g. North Korea, Iran, etc). You are responsible for all taxes. All awards are subject to applicable law. Finally, your testing must not violate any law or compromise any data that is not yours.
- Issues that have already been submitted by another user or are already known to spec and client maintainers are not eligible for bounty rewards.
- Public disclosure of a vulnerability makes it ineligible for a bounty.
- Ethereum Foundation researchers and employees of Eth2 client teams are not eligible for rewards.
- Ethereum bounty program considers a number of variables in determining rewards. Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the Ethereum Foundation bug bounty panel.
Bug hunting leaderboard
Find Eth2 bugs to get added to this leaderboard
Email us: email@example.com