Categories

Bug Bounty Program

Recent Submissions

July 2020

Wei Yang found a bug in ConsensusFaultTimeOffsetMining that could lead to incorrectly declared faults.

July 2020

Wei Yang found an issue with the ReportConsensusFault function caused it to not take effect.

May 2020

Leo Zhang found that a message that could make the global cron actor’s HandleProvingPeriod method crash.

Rewards

Reported security vulnerabilities will be eligible for a Bug Bounty based on Severity, calculated based on its Impact and Likelihood using the OWASP Risk Rating model.

The following is a guide for how points may be allocated to issues reported based on severity:

  • Critical: up to 100,000 points
  • High: up to 50,000 points
  • Medium: up to 15,000 points
  • Low: up to 2,500 points
  • Note: up to 500 points

Where currently 1 point = 1 USD (payable in USD, DAI or FIL).

Higher rewards will also be paid to reported vulnerabilities that offer quality written descriptions, test code, scripts and detailed instructions, and well-documented fixes.

Evaluation of the significance of the vulnerability and specific bounty amount assigned is at the sole discretion of the Filecoin Security Team, which consists of core developers and contributors.

NOTE: Reporters are responsible for all taxes and all awards subject to applicable law. We are not able to pay bounty awards to individuals who are on a U.S. sanctions list or in a country on a U.S. sanctions list..

Rules

We encourage good-faith security research and ask that you follow these guidelines to avoid any confusion between legitimate research and malicious attack, we ask that you attempt, in good faith, to comply with the following:

  • Testing must not violate any law or compromise any data that is not yours

  • Please refrain from the following:

    • Denial of Service attacks and Active Exploits against the Filecoin network or Filecoin miners and nodes
    • Social engineering and phishing of Filecoin project contributors, ecosystem collaborators or community members
    • Physical or electronic attempts to access offices where project contributors work or data centers where Filecoin nodes are located
    • Compromising user accounts or stealing funds

  • Please report any vulnerability you’ve discovered promptly.

  • Help us improve this security process as it is critical to our mission by suggesting improvements

  • Avoid violating the privacy of Filecoin users and community members, disrupting their systems, destroying data, stealing funds and/or harming the user experience

  • Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope

  • Interact only with test accounts you own or with explicit permission from the account holder

  • If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately

  • Play by the rules. This includes following this policy as well as any other relevant agreements

  • Use only official channels (email [email protected] or Keybase chat) to discuss vulnerability information with us

  • Handle the confidentiality of details of any discovered vulnerabilities according to our Disclosure Policy

Scope

In scope for our Bug Bounty program are vulnerabilities in the core protocol and protocol implementations that have been security audited:

* Implementations undergoing active development that have not yet been security audited are currently not in scope.

Visit the Filecoin Spec: Implementation Status for more information about these projects and their audits.

Out-of-Scope

  • Filecoin websites and Filecoin infrastructure in general are not part of the bug bounty program.

  • Third-party services and websites that show information about the Filecoin network (block explorers, stats dashboards, price indicators, miner leaderboards, etc.) are also out of scope.

  • Vulnerabilities previously submitted by another person or identified in a published audit report are not eligible for bug bounty rewards.

  • Public disclosure of a vulnerability makes it ineligible for a bug bounty.

Filecoin’s core development team, employees of Protocol Labs, the Filecoin Foundation and others paid by these organizations to work on the Filecoin project, indirectly or directly, are not eligible for bug bounty rewards.