Today, we disclosed the first set of vulnerabilities from the Ethereum Foundation’s Bug Bounty Programs. These vulnerabilities were previously discovered and reported directly to the Ethereum Foundation or client teams via the Bug Bounty Programs for both the Execution Layer and Consensus Layer.
Through its Bug Bounty Programs, which allow the Ethereum Foundation (EF) to coordinate and cross-check vulnerabilities across clients, the EF currently accepts vulnerability reports for Nimbus, Teku, Lighthouse, Prysm, Lodestar, Go Ethereum, Nethermind, Erigon and Besu.
New repository & vulnerability list
The full list of vulnerabilities, along with additional information, can be found in a git repository here.
The new disclosures repository catalogues all known vulnerabilities that were patched prior to the latest hardforks on the Execution Layer and Consensus Layer.
We would like to give a massive shout out to everyone involved in the discovery and reporting of vulnerabilities, as well as to the teams responsible for fixing them. While we have attempted to include the names or aliases of the reporters, there are many developers and researchers within the client teams and in the Ethereum Foundation who found and corrected vulnerabilities outside of the bounty program. There are also many unsung heroes such as client team developers, community members, and many more who have spent countless hours triaging, cross-checking, and mitigating vulnerabilities before they could be exploited.
For more information, and to learn more about disclosure policies, timelines, and cataloging, head over to the new disclosures repository.
Your immense efforts have been instrumental to ensuring Ethereum’s security. Thank you!