Ethereum bumps up bug bounty payouts ahead of 2.0 release


Charlie Osborne

19 November 2020 at 14:29 UTC

Updated: 19 November 2020 at 15:23 UTC

Security researchers can earn themselves up to $50,000 for finding flaws in the cryptocurrency platform

The Ethereum 2.0 bug bounty program has bumped up rewards for researchers who submit valid vulnerability reports ahead of a shift to a Proof-of-Stake model.

Bug hunters can earn up to $50,000 for critical vulnerabilities in the hotly-anticipated Ethereum 2.0 upgrade.

The Ethereum Foundation bug bounty panel will decide on financial rewards issued and will lean upon the OWASP risk model when making decisions.

Loosely categorized as low, medium, and high severity, the most dangerous vulnerabilities can earn researchers up to 25,000 “points”, whereas high impact bugs can be worth 10,000 points.

Medium and low risk security flaws can result in up to 5,000 and 1,000 points being issued, respectively.

Points-based system

Each “point” earned in the program is the equivalent of $2, made in either the Ethereum (ETH) cryptocurrency or Dai (DAI) stablecoin.

The program is looking for vulnerabilities impacting the safety of the core Eth2 Phase 0 specification, as well as finality-breaking bugs, denial-of-service (DoS) vectors, and security issues relating to validations – such as when “honest” validators are impacted by calculation or parameter problems.

In addition, the prysm, lighthouse, and teku client implementations are in scope.

While more client implementations will join the list after they have passed preliminary audits, vulnerabilities associated with non-compliance, DoS attacks, crashes, and consensus splits will be considered.

The rewards on offer may also depend on the quality of bug reports, how easy they are to reproduce, and whether or not bug bounty hunters have offered a way to fix vulnerabilities.

Read more of the latest bug bounty news

Alongside financial rewards, the Ethereum Foundation has created a leaderboard to display its top bug bounty hunters.

“The bug bounty program is an experimental and discretionary rewards program for our active Ethereum community to encourage and reward those who are helping to improve the platform,” the organization says.

“It is not a competition… awards are at the sole discretion of the Ethereum Foundation bug bounty panel.”

Previously, the program offered up to $10,000 for vulnerability disclosures.

Changes

The rewards boost comes roughly two weeks ahead of a planned transition from the Proof-of-Work (PoW) model to Proof-of-Stake (PoS).

PoW models allow users to mine cryptocurrencies via their computers solving complex mathematical problems, however, the energy required to mine crypto increases over time. PoS uses validators to give voting rights to nodes based on a general consensus process.

The Ethereum Foundation has been working on a PoS system, dubbed Casper, since 2014, in what is known as the Serenity release. The shift to the Phase 0 Beacon Chain is slated for December 1.

The Daily Swig has reached out to the Ethereum Foundation and will update this article accordingly.

YOU MAY LIKE Google Project Zero to form ‘crystal ball’ forecast panel to help improve vulnerability disclosure