The Foundation announced the unified program on May 16, 2022, through its "Secured" security blog series. The move combined two previously separate initiatives: the original Execution Layer program, running since 2015, and the Consensus Layer program launched in December 2020 alongside the Beacon Chain. The consolidation raised the critical-severity ceiling by 20 times the prior Execution Layer cap and 10 times the prior Consensus Layer cap. Researchers can submit reports covering nine client implementations across both layers, along with the Solidity compiler, protocol specifications, and the Beacon Chain deposit contract.

A Tiered Structure With a Multiplier

The unified program uses four reward tiers. Critical vulnerabilities pay up to $250,000. High-severity bugs pay up to $50,000. Medium-severity issues carry a $10,000 cap, and low-severity findings pay up to $2,000. The Foundation also introduced a time-based multiplier: when a network upgrade is live on public testnets and scheduled for mainnet, the maximum payout doubles to $500,000. All rewards are paid in ETH or DAI only. There is no fiat payment option.

The nine clients in scope span both layers. On the consensus side, the program covers Nimbus, Teku, Lighthouse, Prysm, and Lodestar. On the execution side, it covers Go Ethereum (Geth), Nethermind, Erigon, and Besu. The Foundation noted that reward severity is assessed partly by the share of nodes running the affected client. In practice, this means a critical bug in Geth, which has historically powered the majority of Ethereum nodes, would be weighted more heavily than an equivalent bug in a minority client.

The 2021 Geth Incident Shaped the Reward Increase

The scale of the reward increase reflected a specific lesson from August 2021. A high-severity vulnerability in Geth, catalogued as CVE-2021-39137, triggered a live chain split on Ethereum mainnet. At the time, roughly 75% of all Ethereum nodes ran Geth. Only about 30% of all Ethereum nodes had applied the emergency patch before the split occurred.

The bug, discovered by security researcher Guido Vranken at blockchain security firm Sentnl, briefly created conditions where double-spending attacks were a realistic risk.

The incident made the case that client-level vulnerabilities in Ethereum carry systemic consequences, and that the existing bounty caps did not reflect that risk.

The Foundation's framing in its announcement was direct on this point: "The impact of a vulnerability is in direct correlation to the impact on the network as a whole."

The May Announcement Was the Start, Not the Peak

The $250,000 cap established in May 2022 was not the final word. As the Ethereum Merge drew closer, the Foundation applied additional multipliers. By August 24, 2022, with the Merge scheduled for mid-September, a temporary 4x multiplier pushed the critical-severity ceiling to $1,000,000. That figure held through September 8, 2022. The Merge executed on September 15, 2022. Fredrik Svantes, a security researcher at the Foundation who oversees the program, later described it as running "the world's oldest blockchain bug bounty program." He presented the program's history and structure at Devcon 6 in Bogotá in October 2022.

The pattern continued after the Merge. Ahead of the Shapella upgrade in April 2023, which enabled validator withdrawals from the Beacon Chain, the Foundation again doubled the maximum payout to $500,000. Svantes said during a developer call ahead of the upgrade: "Go ahead and start looking for more vulnerabilities as the max bounty payout for Shapella-specific issues is now up to half a million dollars." The pattern suggests that large reward escalations around major upgrades have become deliberate policy, not one-off events.

Regional Access: Opportunity With Caveats

The program's structure carries real implications for security researchers outside the United States and Western Europe. India, the fastest-growing nation for new Web3 developers globally, now accounts for roughly 17% of all new Web3 developers, according to Electric Capital data.

Nigeria ranks third worldwide for new Web3 developer growth, with over 16,000 developers added to the Ethereum ecosystem. For researchers in these markets, a $250,000 critical-severity payout represents life-changing compensation by any regional income standard, and the multiplier windows can push that figure higher.

The DAI payment option is practically significant here. DAI is a stablecoin pegged to the US dollar. Receiving payment in DAI rather than ETH removes exposure to token price volatility and avoids the wire transfer and banking access friction that a USD payout would require in many markets.

At least one researcher received a full $250,000 payout during the Merge window for identifying a consensus-layer bug, confirming that these figures are not theoretical.

One restriction applies broadly: researchers in sanctioned countries or on sanctions lists are not eligible to participate. Several nations in Africa and the Middle East carry sanctions exposure that would disqualify otherwise qualified researchers, including, for example, Sudan, Zimbabwe, and Libya. This is a real exclusion, and potential participants should verify their eligibility before submitting.

The Ethereum Foundation publishes its historical vulnerability disclosures publicly via GitHub at ethereum/public-disclosures, a transparency practice it formalized for the first time in March 2022.

For security researchers in fast-growing developer markets, the Ethereum Foundation's program represents a legitimate and well-documented income track. The Secured blog series provides a direct window into the Foundation's risk assessments ahead of each upgrade cycle, and the consistent pattern of reward escalations around major upgrades means that the highest payouts tend to arrive precisely when the network's need for close scrutiny is greatest.