Ethereum Foundation Bug Bounty Program

A burn in ETH is required to submit a report in order to prevent spam.

Before submitting

Visit bounty.ethereum.org to see what is and what is not in scope.

Websites and other things not listed on bounty.ethereum.org are not in scope and will be ignored.

A fully functional proof of concept against a mainnet setup of Ethereum is required. It is strongly advised to have a proof of concept that works with Kurtosis.

The following resources should help you get started:

Important: Due to a large increase in reports, response time is likely to be multiple days.

Report details

Do not include personal identifiable information that is unrelated to the vulnerability.

Full Name Email Address Wallet Address

Address to receive potential reward.

Leaderboard name

Name to display on the leaderboard. You may use a pseudonym.

Github Username

Github account to link to on the leaderboard.

Reward

ETH or DAI for reward.

Target Severity

Vulnerable Version or Commit

Release, tag, commit SHA, or client version where the issue was confirmed.

Bug Report Title Short Description

One sentence description of the vulnerability.

Attack Scenario

In what scenario would this be an issue?

Impact

Describe the effect this may have in a production setting.

Components

Point to the files, functions, and/or specific line numbers where the bug occurs.

Proof of Concept

A clear proof of concept is required. Without a clear reproducible attack, the issue will be ignored, and there is no refund. Using Kurtosis is the preferred way as it makes it clear and easily reproducible.

Suggested Fix

Description of suggested fix, if available.

Additional Information

Any details not covered above.

Ethereum Foundation Bug Bounty Program

Before submitting

Report details

Submit bug report

Select wallet

Report submitted