The disclosures, authored by Fredrik Svantes, the Foundation's security lead, were posted to a new GitHub repository at github.com/ethereum/public-disclosures. This installment, known as Secured #2, built directly on the framework that Secured #1 had established: a structured approach to cataloguing how critical infrastructure bugs are found, reported, fixed, and eventually made public. The release marked a concrete output from the Foundation's "Secured" blog series, an ongoing transparency initiative covering security practices across the Ethereum ecosystem.

---

Two Programs, Nine Clients, One Catalogue

As of March 2022, the Ethereum Foundation operated two separate bug bounty programs.

The Execution Layer program had been running since 2015, making it one of the longest continuously active blockchain bug bounty programs in existence. The Consensus Layer program launched in 2020, ahead of the Beacon Chain going live. Together, the programs covered nine client implementations: Geth, Nethermind, Erigon, and Besu on the execution side, and Lighthouse, Lodestar, Nimbus, Teku, and Prysm on the consensus side.

The Foundation's disclosure policy targets a 90-day window between when a bug is reported and when it becomes public. That window can extend if a vulnerability is being actively exploited. Critically, no vulnerability is added to the public catalogue until it has been confirmed patched, specifically before the relevant network hardfork.

"All vulnerabilities added to the disclosures catalogue were patched prior to the latest hardforks on the Execution Layer and Consensus Layer," the Foundation stated in Secured #5, published May 2023.

---

Why Client Concentration Made These Bugs More Dangerous

The timing of the disclosure series matters. At the point Secured #2 was published, roughly 60 to 66 percent of Ethereum's consensus layer validators were running a single client, Prysm. In blockchain networks, a "consensus client" is the software that validators use to agree on the canonical chain. When more than two-thirds of validators run the same software, a single critical bug in that software can halt the network's ability to finalize transactions for extended periods.

The threat is not abstract. Ethereum documentation describes it plainly: "A bug in a supermajority client that has over two-thirds of validators could be extremely damaging to the network." This risk has historical precedent on the execution layer as well. The 2016 Shanghai DOS attack exploited Geth's then-dominant execution-layer market share to amplify its impact across the network, offering a direct parallel to the client concentration risk the Foundation's disclosure programme was designed to help address. A more recent concrete example surfaced on the Kintsugi testnet, a merge-readiness environment, just weeks before Secured #2 was published. A missing check in two clients caused an invalid block to be accepted as valid, and a subsequent error prevented validators on a separate client from following the correct chain.

Go Ethereum, the dominant execution client, handles this risk through a phased disclosure policy. Network-critical vulnerabilities are silently patched first. The existence of the fix is disclosed four to eight weeks later, with full technical details following in another four to eight weeks. Geth also ships a command-line tool, geth version-check, allowing node operators to check whether their installed version is known to carry any unpatched vulnerabilities.

---

Bounty Payouts Were Modest. They Would Not Stay That Way.

At the time of Secured #2, the maximum payout under the Consensus Layer program was approximately $25,000 USD, and the Execution Layer cap sat around $12,500 USD. These figures are inferred from multipliers disclosed in later reporting rather than stated directly in Secured #2.

Two months later, in May 2022, the Foundation overhauled both programs, merging them into a single unified platform at bounty.ethereum.org and raising the maximum reward to $250,000 USD. During active testnet upgrade windows, the ceiling rose to $500,000 USD. The Foundation described the change as a 10x increase on the previous Consensus Layer cap and a 20x increase on the Execution Layer cap. Payments are made in ETH or DAI.

For context, among the largest Web3 bug bounties paid through responsible disclosure at the time was a $10,000,000 USD award from the Wormhole bridge in 2022. That figure reflects a payment to a researcher who reported a critical vulnerability through proper disclosure channels and is entirely separate from the approximately $320 million exploit the protocol suffered earlier that same year.

---

What This Means for Validators and Researchers in South Asia and Africa

For Ethereum validators in Nigeria, Kenya, India, and Pakistan, the disclosure catalogue is a practical operational tool. A validator running an unpatched consensus client risks having its 32 ETH stake slashed, a penalty mechanism the network uses to punish misbehavior. In regions where 32 ETH represents a substantial portion of household savings, understanding exactly which client versions carry known vulnerabilities is not a technical nicety; it is a financial necessity.

The bounty program also represents a direct income pathway for security researchers in lower-wage economies. At the reward levels established after the May 2022 overhaul, a single critical find on Ethereum's core infrastructure could generate income that no local employer in Lagos, Nairobi, or Bengaluru is likely to match.

Platforms like Immunefi have expanded access to this market further by serving as a dedicated access point for Web3 security work across Africa and South Asia, lowering the barrier for researchers who are not connected to Western academic or corporate networks.

At Devcon 6 in October 2022, Svantes described the programme as a model for how critical infrastructure projects should approach responsible disclosure.

---

The Series Continues

Secured #2 was not the end. The Foundation published further disclosure batches in subsequent editions of the series, including a $50,000 payout to a researcher identified as "scio" for discovering a crash vulnerability in the Lighthouse client triggered by malicious network messages containing an overly large request count. The programme has also recognised its most prolific contributors: Guido Vranken stands as the top individual contributor to the public-disclosures catalogue, and at least two researchers, nrv and PwningEth, chose to donate their bounty rewards to charity rather than keep them. The public-disclosures repository on GitHub continues to serve as the canonical reference for anyone auditing Ethereum client software against known vulnerability histories.