The Flashbots team would appreciate any contributions, responsible disclosures and will make every effort to acknowledge your contributions.
Bugs that affect the security of the Ethereum protocol in the mev-boost
and mev-boost-relay
repositories are in scope. Bugs in third-party dependencies are not in scope unless they result in a bug in mev-boost
with demonstrable security impact.
Please see Releases. Generally it is recommended to use the latest release.
To report a vulnerability, please email [email protected] and provide all the necessary details to reproduce it, such as:
- Release version
- Operating System
- Consensus / Execution client combination and version
- Network (Mainnet or other testnet)
Please include the steps to reproduce it using as much detail as possible with the corresponding logs from mev-boost
and / or logs from the consensus / execution client.
Once we have received your bug report, we will try to reproduce it and provide a more detailed response. Once the reported bug has been successfully reproduced, the team will work on a fix.
The bug bounty program will be a shared bounty pool of up to 50k USD between mev-boost
, mev-boost-relay
.
We would like to welcome node operators, builders, searchers and other participants in the ecosystem to contribute to this bounty pool to help make the ecosystem more secure.