Austin hill bitcoin21 comments
Slock ethereum phase
The Ethereum Bounty Program provides bounties for bugs. We call on our community and all bug bounty hunters to help identify bugs in the protocols and clients. Earn rewards for finding a vulnerability and get a place on our leaderboard. Martin now works for the Ethereum Foundation and, among other things, manages the bug bounty program.
The value of rewards paid out will vary depending on Severity. Reward sizes are guided by the rules below, but are in the end, determined at the sole discretion of the Ethereum Foundation bug bounty panel.
Between and Byzantium hard-fork on Mainnet, each point corresponds to 2 USD for issues related to cross-client consensus or geth DoS vulnerabilities. Beyond monetary rewards, every bounty is also eligible for listing on our leaderboard with points accumulating over the course of the program. In addition to Severity , other variables are also considered when the Ethereum Foundation bug bounty panel decides the score, including but not limited to:.
The bug bounty program is an experimental and discretionary rewards program for our active Ethereum community to encourage and reward those who are helping to improve the platform. It is not a competition. You should know that we can cancel the program at any time, and awards are at the sole discretion of Ethereum Foundation bug bounty panel. In addition, we are not able to issue awards to individuals who are on sanctions lists or who are in countries on sanctions lists e.
North Korea, Iran, etc. You are responsible for all taxes. All awards are subject to applicable law. Finally, your testing must not violate any law or compromise any data that is not yours.
Our bug bounty program spans end-to-end: Classical client security as well as security of cryptographic primitives are also part of the program. Details on the scope follow:. The idea for Ethereum was initially published in the White Paper.
This concept has been realized in a few protocols and algorithms up for scrutiny:. Assuming that the protocols and algorithms are flawless, does a client implementation conform to the formal protocol specification? Here is an example from bitcoin of a global network based DoS scenario. DoS example from bitcoin. Here is an example of a problem hidden in an external library. Here is an EC key generation example.
Also have a look here. Here is an example of a submitted Solidity bug. Here is an example of a bug in the initial ENS registrar that would have allowed people to bid during the reveal period, thus affecting the legitimacy of auction results. An attacker can send blocks that may require a high amount of computation the maximum gasLimit but has no proof-of-work.
Send a block to a Go node that contains many txs but no valid PoW. Blocks are validated in the method Process Block, dontReact. This method performs expensive CPU-intensive tasks, such as executing transactions sm.
ApplyDiff and afterward it verifies the proof-of-work sm. This allows an attacker to send blocks that may require a high amount of computation the maximum gasLimit but has no proof-of-work.
No end date is currently set. Local laws require us to ask for proof of your identity. We aim to respond to submissions as fast as possible.
Feel free to email us if you have not received a response within a day or two. To be eligible for BTC rewards, we require your real name and a proof of your identity. Bounty hunters are ranked on our leaderboard by total points.
Yoonho Kim team Hithereum. Several new entries on the leaderboard! First off, we have awarded 10 points to the researchers from Boston University: Sharon Goldberg, Yuval Marcus and Ethan Heilman, for their research about eclipse attacks on geth nodes. The fixes were included in 1. The discrepancy could potentially cause a mining minority be at a disadvantage.
This has been fixed by aligning how Geth and Parity treats such blocks. See the blog for a security announcement concerning the Mist Browser. The Mist browser is not considered production software, and we will not pay full rewards for upstream bugs. A very important reminder: Juno Im has been awarded another points for a Geth access control issue. Between now and the Byzantium mainnet hardfork, we will double the ratio of points-to-USD for any vulnerabilities affecting cross-client consensus or Geth denial-of-service.
All Byzantium functionality is considered in-scope, as if it was already enabled on the mainnet. Harry Roberts has been awarded points for discovering a bug in how Solidity implemented ecrecover. See release notes for v0. Juno Im has been awared points for a Mist-vulnerability regarding importing of maliciously crafted wallet-files.
Yaron Velner has been awarded points for an ENS-submission, where by ENS second price could be manipulated via replay, forcing winners to pay the full amount offered. Bug 1 and bug 2 ENS is now officially included in the program. Solidity is now officially included within the bug bounty program. The Ethereum hard fork code is in scope of the Ethereum bounty program. Please see the latest hard fork specification. As we are launching Frontier, we will continue the bounty program throughout and at least until Homestead.
One extension, and one change: From now on, core CPP libraries will be in scope as well. The genesis block inscription reward is altered to an entry in the namereg.
The develop branch is the target. The bounty program will remain running for at least the duration of the upcoming Ethereum frontier release. Please see the Ethereum blog for more information about Frontier! These scripts by Jonas Nick can be helpful to build the Ethereum Go client and test it. Please note the currently known issues Another major vulnerability found by Jonas Nick.
Ethereum websites are out of scope for the bounty program and not eligible for rewards. With that said, we are thankful for submissions relating to webpage security and will work to fix these issues. Issues that have already been submitted by another user or are already known to the Ethereum team are not eligible for bounty rewards.
Public disclosure of a vulnerability makes it ineligible for a bounty. You can start or fork a private chain for bug hunting. Please respect the Ethereum main and test networks and refrain from attacking them. Anyone who works with the codebase as a professional Ethereum developer is not eligible for rewards. Ethereum websites or Ethereum Foundation infrastructure in general, are NOT part of the bounty program.
Ethereum bounty program considers a number of variables in determining rewards. Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the Ethereum Foundation bug bounty panel.
In addition to Severity , other variables are also considered when the Ethereum Foundation bug bounty panel decides the score, including but not limited to: Higher rewards are paid for clear, well-written submissions. Please include test code, scripts and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward. Please see the wiki and repos to learn more about our test suite in the official documentation.
Quality of fix, if included. Higher rewards are paid for submissions with clear description of how to fix the issue. Important Legal Information The bug bounty program is an experimental and discretionary rewards program for our active Ethereum community to encourage and reward those who are helping to improve the platform. Details on the scope follow: Protocol security The idea for Ethereum was initially published in the White Paper.
This concept has been realized in a few protocols and algorithms up for scrutiny: The blockchain consensus protocol, state engine and virtual machine as well as encodings and Merkle Patricia trees as specified in the Yellow Paper Help identify flaws such as ones found in the yellow paper, relating to: Conceptual security issues in the formal specification of the Ethereum protocol.
A concrete example could be a contract that consumes very little gas but leads to a lot of computational effort effectively opening the door for DoS attacks. Implementation security Client protocol implementation security Assuming that the protocols and algorithms are flawless, does a client implementation conform to the formal protocol specification?