{"id":17824,"date":"2026-03-02T04:29:25","date_gmt":"2026-03-02T04:29:25","guid":{"rendered":"https:\/\/cryptoted.net\/index.php\/2026\/03\/02\/secured-5-public-vulnerability-disclosures-update\/"},"modified":"2026-03-02T04:29:25","modified_gmt":"2026-03-02T04:29:25","slug":"secured-5-public-vulnerability-disclosures-update","status":"publish","type":"post","link":"https:\/\/cryptoted.net\/index.php\/2026\/03\/02\/secured-5-public-vulnerability-disclosures-update\/","title":{"rendered":"Secured #5: Public Vulnerability Disclosures Update"},"content":{"rendered":"<p> <br \/>\n<br \/><img decoding=\"async\" src=\"https:\/\/blog.ethereum.org\/images\/posts\/upload_630d77544672a1e0df792c0d71489bd6.jpg\" \/><\/p>\n<div id=\"\">\n<p class=\"chakra-text css-gi02ar\">Today, we have <a target=\"_blank\" rel=\"noopener\" class=\"chakra-link css-vezwxf\" href=\"https:\/\/github.com\/ethereum\/public-disclosures\/\">disclosed<\/a> the second set of vulnerabilities from the Ethereum Foundation Bug Bounty Program! \ud83e\udd73 These vulnerabilities were previously discovered and reported directly to the Ethereum Foundation.<\/p>\n<p class=\"chakra-text css-gi02ar\">When bugs are reported and validated, the Ethereum Foundation coordinates disclosures to affected teams and helps cross-check vulnerabilities across all clients. The Bug Bounty Program currently accepts reports for the following client software:<\/p>\n<ul role=\"list\" class=\"css-1ars4k6\">\n<li class=\"css-0\">Erigon<\/li>\n<li class=\"css-0\">Go Ethereum<\/li>\n<li class=\"css-0\">Lodestar<\/li>\n<li class=\"css-0\">Nethermind<\/li>\n<li class=\"css-0\">Lighthouse<\/li>\n<li class=\"css-0\">Prysm<\/li>\n<li class=\"css-0\">Teku<\/li>\n<li class=\"css-0\">Besu<\/li>\n<li class=\"css-0\">Nimbus<\/li>\n<\/ul>\n<p class=\"chakra-text css-gi02ar\">In addition to client software, the Bug Bounty Program also covers the Deposit Contract, Execution Layer &amp; Consensus Layer Specifications and Solidity. \ud83d\ude4f<\/p>\n<h2 class=\"chakra-heading group css-1kpzc4q\" id=\"repository--vulnerability-list\" data-group=\"true\"><a class=\"chakra-link css-128fqrf\" aria-label=\"repository  vulnerability list permalink\" href=\"#repository--vulnerability-list\"><svg viewbox=\"0 0 24 24\" focusable=\"false\" class=\"chakra-icon css-173jpr1\"><g fill=\"currentColor\"><path d=\"M10.458,18.374,7.721,21.11a2.853,2.853,0,0,1-3.942,0l-.892-.891a2.787,2.787,0,0,1,0-3.941l5.8-5.8a2.789,2.789,0,0,1,3.942,0l.893.892A1,1,0,0,0,14.94,9.952l-.893-.892a4.791,4.791,0,0,0-6.771,0l-5.8,5.8a4.787,4.787,0,0,0,0,6.77l.892.891a4.785,4.785,0,0,0,6.771,0l2.736-2.735a1,1,0,1,0-1.414-1.415Z\"\/><path d=\"M22.526,2.363l-.892-.892a4.8,4.8,0,0,0-6.77,0l-2.905,2.9a1,1,0,0,0,1.414,1.414l2.9-2.9a2.79,2.79,0,0,1,3.941,0l.893.893a2.786,2.786,0,0,1,0,3.942l-5.8,5.8a2.769,2.769,0,0,1-1.971.817h0a2.766,2.766,0,0,1-1.969-.816,1,1,0,1,0-1.415,1.412,4.751,4.751,0,0,0,3.384,1.4h0a4.752,4.752,0,0,0,3.385-1.4l5.8-5.8a4.786,4.786,0,0,0,0-6.771Z\"\/><\/g><\/svg><\/a>Repository &amp; vulnerability list<\/h2>\n<p class=\"chakra-text css-gi02ar\">Since the last vulnerability disclosure has been quite eventful with events such as the Merge \ud83d\udc3c and the max bounty reward increase to $250,000. \ud83d\udcb0<\/p>\n<p class=\"chakra-text css-gi02ar\">The highest paid reward during this period was $50,000. This was awarded to <strong>scio<\/strong> for reporting an issue in which Lighthouse beacon nodes crashed via malicious <span class=\"chakra-text css-ons8vw\">BlocksByRange<\/span> messages containing an overly large <span class=\"chakra-text css-ons8vw\">count<\/span> value. You can read more about this specific vulnerability <a target=\"_blank\" rel=\"noopener\" class=\"chakra-link css-vezwxf\" href=\"https:\/\/notes.ethereum.org\/mw-M7HxuRM-09nSPVqp52A\">here<\/a>. \ud83d\udca5<\/p>\n<p class=\"chakra-text css-gi02ar\">Another notable set of vulnerabilites has been around fork choice attacks. EF researchers and client teams investigated and patched <a target=\"_blank\" rel=\"noopener\" class=\"chakra-link css-vezwxf\" href=\"https:\/\/notes.ethereum.org\/@djrtwo\/2023-fork-choice-reorg-disclosure\">attacks that were able to cause long reorgs<\/a>. \ud83d\udc40<\/p>\n<p class=\"chakra-text css-gi02ar\"><strong>Guido Vranken<\/strong> holds the top spot most positive reports in this period. At the same time, Guido managed to collect the most points for the Bug Bounty Leaderboard! \ud83c\udfc6<\/p>\n<p class=\"chakra-text css-gi02ar\">We also have two bounty hunters who decided to donate their rewards to charities: <strong>nrv<\/strong> and <strong>PwningEth<\/strong>! \ud83d\udd25<\/p>\n<p class=\"chakra-text css-gi02ar\">The full list of new vulnerabilities, along with full details, can be found in the <a target=\"_blank\" rel=\"noopener\" class=\"chakra-link css-vezwxf\" href=\"https:\/\/github.com\/ethereum\/public-disclosures\/\">disclosures repository<\/a>.<\/p>\n<p class=\"chakra-text css-gi02ar\">All vulnerabilities added to the disclosures catalogue were patched prior to the latest hardforks on the Execution Layer and Consensus Layer.<\/p>\n<p class=\"chakra-text css-gi02ar\">For more information, and to learn more about disclosure policies, timelines, and cataloging, head over to the <a target=\"_blank\" rel=\"noopener\" class=\"chakra-link css-vezwxf\" href=\"https:\/\/github.com\/ethereum\/public-disclosures\/\">disclosures repository<\/a>.<\/p>\n<h2 class=\"chakra-heading group css-1kpzc4q\" id=\"thank-you\" data-group=\"true\"><a class=\"chakra-link css-128fqrf\" aria-label=\"thank you permalink\" href=\"#thank-you\"><svg viewbox=\"0 0 24 24\" focusable=\"false\" class=\"chakra-icon css-173jpr1\"><g fill=\"currentColor\"><path d=\"M10.458,18.374,7.721,21.11a2.853,2.853,0,0,1-3.942,0l-.892-.891a2.787,2.787,0,0,1,0-3.941l5.8-5.8a2.789,2.789,0,0,1,3.942,0l.893.892A1,1,0,0,0,14.94,9.952l-.893-.892a4.791,4.791,0,0,0-6.771,0l-5.8,5.8a4.787,4.787,0,0,0,0,6.77l.892.891a4.785,4.785,0,0,0,6.771,0l2.736-2.735a1,1,0,1,0-1.414-1.415Z\"\/><path d=\"M22.526,2.363l-.892-.892a4.8,4.8,0,0,0-6.77,0l-2.905,2.9a1,1,0,0,0,1.414,1.414l2.9-2.9a2.79,2.79,0,0,1,3.941,0l.893.893a2.786,2.786,0,0,1,0,3.942l-5.8,5.8a2.769,2.769,0,0,1-1.971.817h0a2.766,2.766,0,0,1-1.969-.816,1,1,0,1,0-1.415,1.412,4.751,4.751,0,0,0,3.384,1.4h0a4.752,4.752,0,0,0,3.385-1.4l5.8-5.8a4.786,4.786,0,0,0,0-6.771Z\"\/><\/g><\/svg><\/a>Thank you \ud83d\ude4f<\/h2>\n<p class=\"chakra-text css-gi02ar\">We would like to give a massive shout out to everyone involved in the discovery and reporting of vulnerabilities, as well as to the teams responsible for fixing them. While we have attempted to include the names or aliases of all reporters, there are many developers and researchers within the client teams and in the Ethereum Foundation who found and corrected vulnerabilities outside of the bounty program. There are also many unsung heroes such as client team developers, community members, and many more who have spent countless hours triaging, cross-checking, and mitigating vulnerabilities before they could be exploited.<\/p>\n<p class=\"chakra-text css-gi02ar\">Your immense efforts have been instrumental to ensuring Ethereum&#8217;s security. <strong>Thank you!<\/strong><\/p>\n<\/div>\n<p><br \/>\n<br \/><a href=\"https:\/\/blog.ethereum.org\/en\/2023\/05\/03\/secured-5-disclosures-update\">Source link <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today, we have disclosed the second set of vulnerabilities from the Ethereum Foundation Bug Bounty Program! \ud83e\udd73 These vulnerabilities were previously discovered and reported directly to the Ethereum Foundation. When bugs are reported and validated, the Ethereum Foundation coordinates disclosures to affected teams and helps cross-check vulnerabilities across all clients. The Bug Bounty Program currently [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":17825,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"tdm_status":"","tdm_grid_status":"","footnotes":""},"categories":[24],"tags":[],"kronos_expire_date":[],"class_list":["post-17824","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ethereum"],"_links":{"self":[{"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/posts\/17824","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/comments?post=17824"}],"version-history":[{"count":0,"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/posts\/17824\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/media\/17825"}],"wp:attachment":[{"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/media?parent=17824"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/categories?post=17824"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/tags?post=17824"},{"taxonomy":"kronos_expire_date","embeddable":true,"href":"https:\/\/cryptoted.net\/index.php\/wp-json\/wp\/v2\/kronos_expire_date?post=17824"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}