ethereum · corwintines · Sep 30, 2025 · Sep 29, 2025 · Sep 29, 2025 · Sep 29, 2025
@@ -85,6 +85,10 @@ const StyledCard = ({ children, ...props }) => (
   </Card>
 )
 
+const StrongGreaterThan = (chunks: React.ReactNode) => (
+  <strong>&gt;{chunks}</strong>
+)
+
 type CardDetails = Required<Pick<CardProps, "title" | "link" | "image">> &
   Pick<CardProps, "className">
 
@@ -446,11 +450,11 @@ export default async function Page({ params }: { params: Promise<Params> }) {
                 <div>
                   <H4>{t("page-upgrades-bug-bounty-help-links")}</H4>
                   <InlineLink href="https://github.com/ethereum/consensus-specs/blob/dev/specs/phase0/deposit-contract.md">
-                    Deposit Contract Specifications
+                    {t("page-upgrades-bug-bounty-deposit-contract-specs")}
                   </InlineLink>
                   <br />
                   <InlineLink href="https://github.com/ethereum/consensus-specs/blob/dev/solidity_deposit_contract/deposit_contract.sol">
-                    Deposit Contract Source Code
+                    {t("page-upgrades-bug-bounty-deposit-contract-source")}
                   </InlineLink>
                 </div>
               </StyledCard>
@@ -471,16 +475,152 @@ export default async function Page({ params }: { params: Promise<Params> }) {
                 </div>
               </StyledCard>
             </Flex>
+            <div>
+              <H2 id="qualifications" className="max-w-[100ch]">
+                {t("page-upgrades-bug-bounty-severity-qualifications-title")}
+              </H2>
+              <p className="max-w-[100ch]">
+                {t("page-upgrades-bug-bounty-severity-qualifications-desc")}
+              </p>
+
+              <div className="mt-8 grid grid-cols-1 gap-6 md:grid-cols-2 md:gap-x-8 xl:grid-cols-4">
+                <div className="space-y-4">
+                  <h3>{t("page-upgrades-bug-bounty-severity-low-title")}</h3>
+                  <ul>
+                    <li>
+                      {t.rich("page-upgrades-bug-bounty-severity-low-li-1", {
+                        strong: StrongGreaterThan,
+                      })}
+                    </li>
+                    <li>
+                      {t.rich("page-upgrades-bug-bounty-severity-low-li-2", {
+                        strong: StrongGreaterThan,
+                      })}
+                    </li>
+                    <li>
+                      {t.rich("page-upgrades-bug-bounty-severity-low-li-3", {
+                        strong: StrongGreaterThan,
+                      })}
+                    </li>
+                  </ul>
+                </div>
+                <div className="space-y-4">
+                  <h3>{t("page-upgrades-bug-bounty-severity-medium-title")}</h3>
+                  <ul>
+                    <li>
+                      {t.rich("page-upgrades-bug-bounty-severity-medium-li-1", {
+                        strong: StrongGreaterThan,
+                      })}
+                    </li>
+                    <li>
+                      {t.rich("page-upgrades-bug-bounty-severity-medium-li-2", {
+                        strong: StrongGreaterThan,
+                      })}
+                    </li>
+                    <li>
+                      {t.rich("page-upgrades-bug-bounty-severity-medium-li-3", {
+                        strong: StrongGreaterThan,
+                      })}
+                    </li>
+                  </ul>
+                </div>
+                <div className="space-y-4">
+                  <h3>{t("page-upgrades-bug-bounty-severity-high-title")}</h3>
+                  <ul>
+                    <li>
+                      {t.rich("page-upgrades-bug-bounty-severity-high-li-1", {
+                        strong: StrongGreaterThan,
+                      })}
+                    </li>
+                    <li>
+                      {t.rich("page-upgrades-bug-bounty-severity-high-li-2", {
+                        strong: StrongGreaterThan,
+                      })}
+                    </li>
+                    <li>
+                      {t.rich("page-upgrades-bug-bounty-severity-high-li-3", {
+                        strong: StrongGreaterThan,
+                      })}
+                    </li>
+                  </ul>
+                </div>
+                <div className="space-y-4">
+                  <h3>
+                    {t("page-upgrades-bug-bounty-severity-critical-title")}
+                  </h3>
+                  <ul>
+                    <li>
+                      {t.rich(
+                        "page-upgrades-bug-bounty-severity-critical-li-1",
+                        {
+                          strong: StrongGreaterThan,
+                        }
+                      )}
+                    </li>
+                    <li>
+                      {t.rich(
+                        "page-upgrades-bug-bounty-severity-critical-li-2",
+                        {
+                          strong: Strong,
+                        }
+                      )}
+                    </li>
+                    <li>
+                      {t.rich(
+                        "page-upgrades-bug-bounty-severity-critical-li-3",
+                        {
+                          strong: Strong,
+                        }
+                      )}
+                    </li>
+                    <li>
+                      {t.rich(
+                        "page-upgrades-bug-bounty-severity-critical-li-4",
+                        {
+                          strong: Strong,
+                        }
+                      )}
+                    </li>
+                    <li>
+                      {t.rich(
+                        "page-upgrades-bug-bounty-severity-critical-li-5",
+                        {
+                          strong: Strong,
+                        }
+                      )}
+                    </li>
+                  </ul>
+                </div>
+              </div>
+            </div>
             <div className="max-w-[100ch] flex-1">
               <H2 id="out-of-scope">
                 {t("page-upgrades-bug-bounty-not-included")}
               </H2>
-              <Text>
+              <p>
                 {t.rich("page-upgrades-bug-bounty-not-included-desc", {
-                  a: (chunks) => (
-                    <InlineLink href="#in-scope">{chunks}</InlineLink>
-                  ),
+                  a: (chunks) => <Link href="#in-scope">{chunks}</Link>,
                 })}
+              </p>
+              <ul className="mt-8 [&>li]:mb-2">
+                <li>
+                  {t("page-upgrades-bug-bounty-not-included-li-1")}
+                  <sup>*</sup>
+                </li>
+                <li>
+                  {t("page-upgrades-bug-bounty-not-included-li-2")}
+                  <sup>*</sup>
+                </li>
+                <li>{t("page-upgrades-bug-bounty-not-included-li-3")}</li>
+                <li>{t("page-upgrades-bug-bounty-not-included-li-4")}</li>
+                <li>{t("page-upgrades-bug-bounty-not-included-li-5")}</li>
+                <li>{t("page-upgrades-bug-bounty-not-included-li-6")}</li>
+                <li>{t("page-upgrades-bug-bounty-not-included-li-7")}</li>
+                <li>{t("page-upgrades-bug-bounty-not-included-li-8")}</li>
+              </ul>
+              <Text>
+                <sup>*</sup>
+                {t("page-upgrades-bug-bounty-out-of-scope-footnote")}
               </Text>
             </div>
           </Content>

@@ -13,6 +13,8 @@
   "page-upgrades-bug-bounty-misc-bugs-desc-2": "Solidity and Vyper does not hold security guarantees regarding compilation of untrusted input – and we do not issue rewards for crashes of the compiler on maliciously generated data.",
   "page-upgrades-bug-bounty-deposit-bugs": "Deposit Contract bugs",
   "page-upgrades-bug-bounty-deposit-bugs-desc": "The specifications and source code of the Beacon Chain Deposit Contract is part of the bug bounty program.",
+  "page-upgrades-bug-bounty-deposit-contract-specs": "Deposit Contract Specifications",
+  "page-upgrades-bug-bounty-deposit-contract-source": "Deposit Contract Source Code",
   "page-upgrades-bug-bounty-dependency-bugs": "Dependency bugs",
   "page-upgrades-bug-bounty-dependency-bugs-desc": "Certain dependencies are crucial for the Ethereum Network to function, and some of these have been added to the bug bounty program. Currently, the list of dependencies included in the bug bounty program are C-KZG-4844 and Go-KZG-4844.",
   "page-upgrades-bug-bounty-docking": "merge",
@@ -36,7 +38,7 @@
   "page-upgrades-bug-bounty-meta-description": "An overview of the Ethereum bug bounty program: how to get involved and reward information.",
   "page-upgrades-bug-bounty-meta-title": "Ethereum Bug Bounty Program",
   "page-upgrades-bug-bounty-not-included": "Out of scope",
-  "page-upgrades-bug-bounty-not-included-desc": "Only the <a>targets listed under in-scope</a> are part of the Bug Bounty Program. This means that for example our infrastructure; such as webpages, dns, email etc, are not part of the bounty-scope. ERC-20 contract bugs are typically not included in the bounty scope. However, we can help reach out to affected parties, such as authors or exchanges in such cases. ENS is maintained by the ENS foundation, and is not part of the bounty scope. Vulnerabilities requiring the user to have publicly exposed an API, such as JSON-RPC or the Beacon API, is out of scope of the bug bounty program.",
+  "page-upgrades-bug-bounty-not-included-desc": "Only the <a>targets listed under in-scope</a> are part of the Bug Bounty Program. Vulnerabilities that do NOT qualify under the program include:",
   "page-upgrades-bug-bounty-owasp": "View OWASP method",
   "page-upgrades-bug-bounty-points": "The EF will also provide rewards based on:",
   "page-upgrades-bug-bounty-points-error": "Error loading data... please refresh.",
@@ -125,7 +127,7 @@
   "bug-bounty-faq-q5-contentPreview": "Please allow a few days for someone to respond to your submission.",
   "bug-bounty-faq-q5-content-1": "We aim to respond to submissions as fast as possible. Feel free to email us at <a href=\"mailto:bounty@ethereum.org\" target=\"_blank\" rel=\"noreferrer\">bounty@ethereum.org</a> if you have not received a response within a day or two.",
   "bug-bounty-faq-q6-title": "I want to be anonymous / I do not want my name on the leader board.",
-  "bug-bounty-faq-q6-contentPreview": "You can do this, but it might make you ineligble for rewards.",
+  "bug-bounty-faq-q6-contentPreview": "You can do this, but it might make you ineligible for rewards.",
   "bug-bounty-faq-q6-content-1": "Submitting anonymously or with a pseudonym is OK, but will make you ineligible for ETH/DAI rewards. To be eligible for ETH/DAI rewards, we require your real name and a proof of your identity to be sent, encrypted using PGP on our secure drop website, to our legal team at the Ethereum Foundation who are the sole reviewers of the documentation. Donating your bounty to a charity doesn’t require your identity.",
   "bug-bounty-faq-q6-content-2": "Please let us know if you do not want your name/nick displayed on the leader board.",
   "bug-bounty-faq-q7-title": "What are the points in the leaderboard?",
@@ -134,5 +136,34 @@
   "bug-bounty-faq-q8-title": "Do you have a PGP key?",
   "bug-bounty-faq-q8-contentPreview": "Yes. Expand for details.",
   "bug-bounty-faq-q8-content-1": "Please use <code>AE96 ED96 9E47 9B00 84F3 E17F E88D 3334 FA5F 6A0A</code>",
-  "bug-bounty-faq-q8-PGP-key": "PGP Key"
+  "bug-bounty-faq-q8-PGP-key": "PGP Key",
+  "page-upgrades-bug-bounty-severity-qualifications-title": "Vulnerability severity qualifications",
+  "page-upgrades-bug-bounty-severity-qualifications-desc": "Severity is assessed based on a discovered vulnerability's ability to do the following:",
+  "page-upgrades-bug-bounty-severity-low-title": "Low severity",
+  "page-upgrades-bug-bounty-severity-low-li-1": "Slash <strong>0.01%</strong> of validators",
+  "page-upgrades-bug-bounty-severity-low-li-2": "Trivially cause network splits affecting <strong>0.01%</strong> of the network",
+  "page-upgrades-bug-bounty-severity-low-li-3": "Be able to bring down <strong>0.01%</strong> of the network by sending a single network packet or an onchain transaction",
+  "page-upgrades-bug-bounty-severity-medium-title": "Medium severity",
+  "page-upgrades-bug-bounty-severity-medium-li-1": "Slash <strong>1%</strong> of validators",
+  "page-upgrades-bug-bounty-severity-medium-li-2": "Trivially cause network splits affecting <strong>5%</strong> of the network",
+  "page-upgrades-bug-bounty-severity-medium-li-3": "Be able to bring down <strong>5%</strong> of the network by sending a single network packet or an onchain transaction",
+  "page-upgrades-bug-bounty-severity-high-title": "High severity",
+  "page-upgrades-bug-bounty-severity-high-li-1": "Slash <strong>33%</strong> of validators",
+  "page-upgrades-bug-bounty-severity-high-li-2": "Trivially cause network splits affecting <strong>33%</strong> of the network",
+  "page-upgrades-bug-bounty-severity-high-li-3": "Be able to bring down <strong>33%</strong> of the network by sending a single network packet or an onchain transaction",
+  "page-upgrades-bug-bounty-severity-critical-title": "Critical severity",
+  "page-upgrades-bug-bounty-severity-critical-li-1": "Slash <strong>50%</strong> of validators",
+  "page-upgrades-bug-bounty-severity-critical-li-2": "Exploit an EIP/specification or client bug to easily <strong>create an infinite amount of ETH</strong> which is finalized by the network",
+  "page-upgrades-bug-bounty-severity-critical-li-3": "<strong>Steal ETH</strong> from all EOAs",
+  "page-upgrades-bug-bounty-severity-critical-li-4": "<strong>Burn ETH</strong> from all EOAs",
+  "page-upgrades-bug-bounty-severity-critical-li-5": "<strong>Take down the entire network</strong> by sending a single malicious onchain transaction that ends up crashing all clients",
+  "page-upgrades-bug-bounty-out-of-scope-footnote": "These are typically not included, however, we can help reach out to affected parties, such as authors or exchanges in such cases",
+  "page-upgrades-bug-bounty-not-included-li-1": "Infrastructure bugs—such as webpages, dns, email, etc.",
+  "page-upgrades-bug-bounty-not-included-li-2": "ERC-20 contract bugs",
+  "page-upgrades-bug-bounty-not-included-li-3": "Ethereum Naming Service (ENS) bugs (maintained by the ENS foundation)",
+  "page-upgrades-bug-bounty-not-included-li-4": "Vulnerabilities requiring the user to have publicly exposed an API, such as JSON-RPC or the Beacon API",
+  "page-upgrades-bug-bounty-not-included-li-5": "Typographical errors",
+  "page-upgrades-bug-bounty-not-included-li-6": "Tests",
+  "page-upgrades-bug-bounty-not-included-li-7": "High-effort (sustained, CPU or bandwidth intensive, and/or requires more than 1 packet or onchain transaction) single-peer DoS attacks",
+  "page-upgrades-bug-bounty-not-included-li-8": "Any publicly known issues (includes forum posts, PRs, github issues, commits, blog posts, public discord messages, etc.)"
 }