Almost anything you find that is a bug in the codebase should be filed as an issue on GitHub. However, when you find a bug that is also a security vulnerability and can compromise the integrity of the live network, please bring it to our attention right away.
We’ve created two main channels for reporting:
- Send an email to email@example.com. This email is monitored everyday. Please use our PGP key to encrypt sensitive information.
- Alternatively, request to join the filecoin_sec team on Keybase, where we can set up a private channel to discuss.
Please do not file a public issue or discuss the vulnerability in public places like Slack, Twitter, etc.
Participate in the Filecoin Bug Bounty
We created a program to reward all security researchers, hackers and security afficionados that invest time into finding bugs on the Filecoin protocol and its respective implementations.
Reported security vulnerabilities are eligible for a Bug Bounty.
Protocol implementations continuously undergo rigorous third-party auditing. Published audit reports are linked in the Filecoin Specification under Audit Reports.
We have a Coordinated Disclosure policy. We will make a best effort to address all vulnerabilities as soon as possible and coordinate with the researcher the disclosure of the finding.
We've created this program for all security researchers to collaborate with the Filecoin project. All findings submitted that fall within the rules of the program will receive a reward.
We will announce any major security events on this page as well as via Filecoin Community Slack and Twitter.