Update to https://ethereum.org/bug-bounty/

[fredrik0x]

Is your feature request related to a problem? Please describe.

We need to make the bug bounty page a bit more clear with regards to rules and expectations for the security researchers.

Describe the solution you'd like

We should make it clear that Severity is measured by the finding’s impact on the entire Ethereum network.
We often base our impact a client will have on the network on https://clientdiversity.org/

Severity Definitions
Critical Severity
Vulnerabilities that allow an attacker to slash more than 50% of validators, exploit an EIP/specification or client bug to easily create an infinite amount of ETH which is finalized by the network, steal ETH from all EOAs, burn ETH from all EOAs, or take down the entire network by sending a single malicious on-chain transaction that ends up crashing all clients.

High Severity
Vulnerabilities that allow an attacker to slash more than 33% of validators, trivially cause network splits affecting more than 33% of the network, or being able to bring down more than 33% of the network by sending a single network packet or an on-chain transaction.

Medium Severity
Vulnerabilities that allow an attacker to slash more than 1% of validators, trivially cause network splits affecting more than 5% of the network, or being able to bring down more than 5% of the network by sending a single network packet or an on-chain transaction.

Low Severity
Vulnerabilities that allow an attacker to slash more than 0.01% of validators, trivially cause network splits affecting at least 0.01% of the network, or being able to bring down more than 0.01% of the network by sending a single network packet or an on-chain transaction.

Out of scope
Typographical errors.
Tests
High-effort (sustained, CPU or bandwidth intensive, and/or requires more than 1 packet or on-chain transaction) single-peer DoS attacks.
Any publicly known issues (includes forum posts, PRs, github issues, commits, blog posts, public discord messages, etc.)

Describe alternatives you've considered

None

Additional context

I can obviouslyt help out with discussions/brainstorming about this etc

Would you like to work on this issue?

• Yes
• No

[minimalsm]

@claude create a PR for this issue please

[claude]

Claude finished @minimalsm's task —— View job • claude/issue-16247-20250917-2201 • Create PR ➔

---

Working on bug bounty page update ✅

Created a PR to update the bug bounty page with clearer severity definitions and rules as requested.

Todo List:

• Find the bug bounty page file in the codebase
• Review current content structure
• Update English translation file with new severity definitions
• Add reference to client diversity data
• Update out-of-scope section with new rules
• Add severity definitions section to component
• Commit and push changes
• Provide PR creation link

Changes Made:

Severity Definitions Added:

• Critical Severity: Vulnerabilities affecting >50% of validators, infinite ETH creation, or complete network takedown
• High Severity: Vulnerabilities affecting >33% of validators or network splits
• Medium Severity: Vulnerabilities affecting >1% of validators or >5% network splits
• Low Severity: Vulnerabilities affecting >0.01% of validators or network splits

Additional Updates:

• Added reference to https://clientdiversity.org/ for impact assessment
• Updated out-of-scope section to explicitly exclude:
  • Typographical errors
  • Tests
  • High-effort single-peer DoS attacks
  • Publicly known issues (forum posts, PRs, GitHub issues, commits, blog posts, Discord messages)

Files Modified:

• src/intl/en/page-bug-bounty.json - Added new translation strings
• app/[locale]/bug-bounty/_components/bug-bounty.tsx - Added severity definitions section