The Flashbots team would appreciate any contributions, responsible disclosures and will make every effort to acknowledge your contributions.

Bugs that affect the security of the Ethereum protocol in the mev-boost and mev-boost-relay repositories are in scope. Bugs in third-party dependencies are not in scope unless they result in a bug in mev-boost with demonstrable security impact.

To report a vulnerability, please email security@flashbots.net and provide all the necessary details to reproduce it, such as:

• Release version
• Operating System
• Consensus / Execution client combination and version
• Network (Mainnet or other testnet)

Please include the steps to reproduce it using as much detail as possible with the corresponding logs from mev-boost and / or logs from the consensus / execution client.

Once we have received your bug report, we will try to reproduce it and provide a more detailed response. Once the reported bug has been successfully reproduced, the team will work on a fix.

The bug bounty program will be a shared bounty pool of up to 50k USD between mev-boost, mev-boost-relay.

We would like to welcome node operators, builders, searchers and other participants in the ecosystem to contribute to this bounty pool to help make the ecosystem more secure.