Filecoin Bug Bounty Program


Reported security vulnerabilities will be eligible for a Bug Bounty based on Severity, calculated based on its Impact and Likelihood using the OWASP Risk Rating model.

The following is a guide for how points may be allocated to issues reported based on severity:

  • Critical: up to 500,000 points
  • High: up to 100,000 points
  • Medium: up to 25,000 points
  • Low: up to 10,000 points
  • None: up to 5,000 points

Where currently 1 point = 1 USD (payable in USD, USDC).

Higher rewards will also be paid to reported vulnerabilities that offer quality written descriptions, test code, scripts and detailed instructions, and well-documented fixes.

Evaluation of the significance of the vulnerability and specific bounty amount assigned is at the sole discretion of the Filecoin Security Team, which consists of core developers and contributors.

NOTE: Reporters are responsible for all taxes and all awards subject to applicable law. We are not able to pay bounty awards to individuals who are on a U.S. sanctions list or in a country on a U.S. sanctions list.

Scope (now includes reports for the FEVM implementation)

In scope for our Bug Bounty program are vulnerabilities in the core protocol and protocol implementations that have been security audited:

Category Level Impact In Scope
Critical(POC required)
Network not being able to confirm new transactions (Total network shutdown)
Unintended permanent chain split requiring hard fork (Network partition requiring hard fork)
Direct loss of funds
Permanent, repeatable freezing of funds affecting core protocol areas (fix requires hard fork)
RPC API crash capable of impacting block production
Protocol-level bug causing breakage of all contracts deployed on the chain
Protocol-level bug that enables tricking contracts into sending funds to arbitrary addresses
High(POC required) Unintended chain split (Network partition) with localized impacts
Transient consensus failures
Inability to propagate new transactions
Protocol-level bug preventing contracts from using their funds
Protocol-level bug causing the inability for developers to deploy new smart contracts
Protocol-level bug rendering a single contract unusable after the exploit (i.e. contract bricked)
Medium High compute consumption by validator/mining nodes
Attacks against thin clients
DoS of greater than 30% of validator or miner nodes and does not shut down the network
EVM instruction fails to execute, in a general way
Inability to deploy a contract under a specific circumstances
Low DoS of greater than 10% but less than 30% of validator or miner nodes and does not shut down the network
Underpricing transaction fees relative to computation time
Contract on the platform fails to deliver promised returns, but doesn’t lose values
EVM instruction fails to execute when provided with concrete parameters

* Implementations undergoing active development that have not yet been security audited are currently not in scope.

Read More


  • Filecoin websites and Filecoin infrastructure in general are not part of the bug bounty program.

  • Third-party services and websites that show information about the Filecoin network (block explorers, stats dashboards, price indicators, miner leaderboards, etc.) are also out of scope.

  • Vulnerabilities previously submitted by another person or identified in a published audit report are not eligible for bug bounty rewards.

  • Any smart contract deployed on the FVM platfom is not a part of the bug bounty program.

  • Public disclosure of a vulnerability makes it ineligible for a bug bounty.

Current and former members of the Filecoin core development team, and current and former employees, contractors and others who have been paid by Protocol Labs or the Filecoin Foundation to work on the Filecoin project, indirectly or directly, are not eligible for bug bounty rewards.


We encourage good-faith security research and ask that you follow these guidelines to avoid any confusion between legitimate research and malicious attack, we ask that you attempt, in good faith, to comply with the following:

  • Testing must not violate any law or compromise any data that is not yours

  • Please refrain from the following:

    • Denial of Service attacks and Active Exploits against the Filecoin network or Filecoin miners and nodes
    • Social engineering and phishing of Filecoin project contributors, ecosystem collaborators or community members
    • Physical or electronic attempts to access offices where project contributors work or data centers where Filecoin nodes are located
    • Compromising user accounts or stealing funds
  • Please report any vulnerability you’ve discovered promptly.

  • Help us improve this security process as it is critical to our mission by suggesting improvements

  • Avoid violating the privacy of Filecoin users and community members, disrupting their systems, destroying data, stealing funds and/or harming the user experience

  • Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope

  • Interact only with test accounts you own or with explicit permission from the account holder

  • If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately

  • Play by the rules. This includes following the law, this policy and any other relevant agreements and policies, including the abiding by the Filecoin Community Code of Conduct in all communications, discussions or posts related to this program or your discovered vulnerability.

  • Use only official channels (email or Keybase chat) to discuss vulnerability information with us

  • Handle the confidentiality of details of any discovered vulnerabilities according to our Disclosure Policy

Recent Submissions

Aug 2021

Joran reported arbitrary write vulnerability in go-ipfs.

Sept 2021

Swapnil reported Access Control Issues in Github Repository.

Oct 2021

cryptowhizzard reported an Denial-Of-Service(DOS) vulnerability in Lotus.

Jan 2022

Brijesh reported an exposed Algolia API key in Github.

Hall of Fame