Our Responsibilities
Coordination & Collaboration
We spend time coordinating and collaborating with many parts of the ecosystem in order to further help keep Ethereum safe. Some of the things we do are:
- Vulnerability coordination and collaboration with L2s, L1s, critical dependencies and more for security issues
- Protocol Security call series
- Coordination and collaboration with external security auditors for protocol related audits
- Security coordination and collaboration with client teams and critical dependencies
- Coordination and collaboration with researchers from the Ethereum ecosystem, academia and security
- Collaboration with teams such as EF Devops and EF Testing
- Ongoing collaboration and support for grantees
- Support public good projects related to security
- Writing the "Secured" series on the EF Blog
- Host security challenges such as the Ethereum Protocol Attackathon
Bug Bounty Program
The Protocol Security Research team manages the Ethereum Foundation Bug Bounty Program. We receive reports, triage, provide input, pay bounty rewards and coordinate public disclosures. The bug bounty program covers Ethereum specifications, Ethereum clients, the Solidity compiler and more.
We also keep a public repository of past results.
Grants
We feel that providing resources and funding to security grants is impactful and valuable to the ecosystem. In our opinion, providing funding is often critical, however we also provide our own time as a resource in order to further help projects be successful.
- Provide and support Academic Grants through funding and resources
- We support the Ethereum Protocol Fellowship by providing resources
- We provide resources for the Devcon(nect) Scholars
- We provide funding and resources for General Security Grants including:
- The Red Guild
- Security Alliance
- Fuzzers created by external contributors like Guido Vranken
Fuzzing
There is a finite amount of time for manual audits, so we build, maintain and use fuzzers to increase the likelihood of finding vulnerabilities. Many severe vulnerabilities have been found by these fuzzers, and then patched by client teams before they could be found and exploited by a malicious actor.
Manual Reviews
We spend a lot of time manually reviewing specifications, clients and critical dependencies. Upcoming changes for hardforks are always being continually reviewed and prioritized.
Specifications
Research
Many hours are spent on security research related to the Ethereum ecosystem. As some of this research could potentially pose a threat, the specific research results may often not end up as public research, but the outcome of the research is rather used to help further secure the Ethereum ecosystem through improvements.
Some examples of research topics include:
- Client Diversity
- /dev/random Diversity
- ZK security research
- Threat Analysis
- Risk Assessments
- L2s
- Cryptography