[karalabe]

TL;DR Geth 1.8.0 shipped with [DSN rebind protection](https://github.com/ethereum/go-ethereum/pull/15962), so as far as we know, it's not vulnerable.

---

We originally rejected the bounty report because:

* We always recommend people communicate with Geth via IPC, not HTTP. The APIs are too powerful for public access: even if noone can steal your Ether, they can exhaust all your local resources via eth_call for example. Our suggestion is to always run a custom proxy that properly rate limits and authenticates outside users vs. running an HTTP server inside Geth. CORS is a protection that always depends on browsers correctly enforcing it, which have been circumvented multiple times, so it's not a good enough security measure. * For a very long time now, we considered unlocking an account a dangerous operation recommended only to power users who can properly protect their setup. Mist and other applications transact via API endpoints that do not unlock accounts, so unless a user explicitly manually unlocks their account, they should be fine.

That being said... even though we consider the attack vector fairly convoluted and would require a lot of bad user practices to pull off; we agreed that if we can do anything meaningful to prevent it, then we should most definitely do that. For that reason we introduced the `--rpcvhosts` flag which is similar to CORS, but checks the requests origin via different means, and rejects DNS rebound HTTP actions server side.

As for the original report, although we rejected the bounty request initially, we agreed that it should be rewarded with a low-impact value since we did make a software modification based on the report. Unfortunately this bounty decision is waiting for approval since the 5th of February. Not sure why it got stuck in the pipeline, we apologize for the delay.