On October 9, Ethereum researcher Danny Ryan announced the launch of the Eth2 bounty program, stating that the spec and attacknet programs are now deprecated in favor of the general program for all of Ethereum 2.0.
In the tweet, Ryan shared the link to the new bug bounty program, officially announcing its beginning and urging coders to test it out. According to information on the page, the Eth2 Bounty Program will provide bounties for finding bugs in the first stage of Ethereum 2.0, a major upgrade to Ethereum’s core consensus.
Developers will be able to earn various rewards for finding vulnerabilities and get a place on a special leaderboard. The program also has a list of the set rules and rewards that are known at present. The system works with the so-called “bounty points” that represent the importance of each bug found by the community. According to the Ethereum Foundation, 1 bounty point will trade for 2 USD, that could be paid in either ETH or DAI (which could be changed without any prior notice).
According to the information provided, programmers will be able to receive bounty points for each issue they find within the software. Depending on how important their discovery is for the network, they can earn up to 25,000 points. Right now, the reward sizes are separated into 4 categories of severity:
- Critical: up to 25,000 points
- High: up to 10,000 points
- Medium: up to 5,000 points
- Low: up to 1,000 points
The final score is also considered based on three other factors – quality of description, quality of reproducibility, and quality of fix. Clear and well-written submissions will accumulate more points for the developer, with the prize increasing even further if a test code, scripts, and detailed instructions are included. Coders that are diligently describing how to fix certain issues will be able to claim additional rewards.
As the bug bounty program is focused on finding bugs in Phase 0 of Ethereum 2.0, enthusiasts will be able to review the prysm, lighthouse, and teku implementations within the beacon chain. The Ethereum community has yet to receive further information on how the bounties will be paid out, as local laws might require additional proof of identity and other documentation.