Rewards

Reported security vulnerabilities will be eligible for a Bug Bounty based on Severity, calculated based on its Impact and Likelihood using the OWASP Risk Rating model.

The following is a guide for how points may be allocated to issues reported based on severity:

• Critical: up to 500,000 points
• High: up to 100,000 points
• Medium: up to 25,000 points
• Low: up to 10,000 points
• None: up to 5,000 points

Where currently 1 point = 1 USD (payable in USD, USDC).

Higher rewards will also be paid to reported vulnerabilities that offer quality written descriptions, test code, scripts and detailed instructions, and well-documented fixes.

Evaluation of the significance of the vulnerability and specific bounty amount assigned is at the sole discretion of the Filecoin Security Team, which consists of core developers and contributors.

NOTE: Reporters are responsible for all taxes and all awards subject to applicable law. We are not able to pay bounty awards to individuals who are on a U.S. sanctions list or in a country on a U.S. sanctions list.

Scope (now includes reports for the FEVM implementation)

In scope for our Bug Bounty program are vulnerabilities in the core protocol and protocol implementations that have been security audited:

Category	Level	Impact In Scope
Blockchain/DLT	Critical(POC required)	Network not being able to confirm new transactions (Total network shutdown)
		Unintended permanent chain split requiring hard fork (Network partition requiring hard fork)
		Direct loss of funds
		Permanent, repeatable freezing of funds affecting core protocol areas (fix requires hard fork)
		RPC API crash capable of impacting block production
		Protocol-level bug causing breakage of all contracts deployed on the chain
		Protocol-level bug that enables tricking contracts into sending funds to arbitrary addresses
	High(POC required)	Unintended chain split (Network partition) with localized impacts
		Transient consensus failures
		Inability to propagate new transactions
		Protocol-level bug preventing contracts from using their funds
		Protocol-level bug causing the inability for developers to deploy new smart contracts
		Protocol-level bug rendering a single contract unusable after the exploit (i.e. contract bricked)
	Medium	High compute consumption by validator/mining nodes
		Attacks against thin clients
		DoS of greater than 30% of validator or miner nodes and does not shut down the network
		EVM instruction fails to execute, in a general way
		Inability to deploy a contract under a specific circumstances
	Low	DoS of greater than 10% but less than 30% of validator or miner nodes and does not shut down the network
		Underpricing transaction fees relative to computation time
		Contract on the platform fails to deliver promised returns, but doesn’t lose values
		EVM instruction fails to execute when provided with concrete parameters

• Important notice for the issue criteria that is presented in the table:

  • Security reports that are not explicitly listed in the table will still be reviewed and matched up against the severity classification based on their impact.
  • We have payment terms of upto 30 days after the invoice is generated.
  
  

• FVM

  • Reference FVM (ref-fvm)
    • Reference implementation of the Filecoin VM (Repository).

• Lotus Core

  • filecoin-project/lotus

• Markets

  • filecoin-project/boost
  • ipfs/go-graphsync

• Storage Miner

  • filecoin-project/lotus/tree/master/miner

• Actors

  • filecoin-project/builtin-actors

• Proofs

  • filecoin-project/rust-fil-proofs-ffi
  • filecoin-project/rust-filecoin-proofs-api
  • filecoin-project/rust-fil-proofs
    • filecoin-project/bellman/
    • filecoin-project/merkle_light
    • filecoin-project/neptune
    • filecoin-project/neptune-triton
    • filecoin-project/paired

• Dependencies

  • filecoin-project/go-address
  • filecoin-project/go-amt-ipld
  • filecoin-project/go-bitfield
  • filecoin-project/go-cbor-util
  • filecoin-project/go-crypto
  • filecoin-project/go-data-transfer
  • filecoin-project/go-fil-commcid
  • filecoin-project/go-padreader
  • filecoin-project/go-sectorbuilder
  • filecoin-project/go-statemachine
  • filecoin-project/go-statestore
  • ipfs/go-hamt-ipld
  • ipfs/go-ipld-cbor
  • whyrusleeping/cbor-gen

* Implementations undergoing active development that have not yet been security audited are currently not in scope.

Read More

• Visit the Filecoin Spec: Implementation Status for more information about these projects and their audits.

• Filecoin Improvement Proposals(FIPs)

Out-of-Scope

• Filecoin websites and Filecoin infrastructure in general are not part of the bug bounty program.

• Third-party services and websites that show information about the Filecoin network (block explorers, stats dashboards, price indicators, miner leaderboards, etc.) are also out of scope.

• Vulnerabilities previously submitted by another person or identified in a published audit report are not eligible for bug bounty rewards.

• Any smart contract deployed on the FVM platfom is not a part of the bug bounty program.

• Public disclosure of a vulnerability makes it ineligible for a bug bounty.

Current and former members of the Filecoin core development team, and current and former employees, contractors and others who have been paid by Protocol Labs or the Filecoin Foundation to work on the Filecoin project, indirectly or directly, are not eligible for bug bounty rewards.

Rules

We encourage good-faith security research and ask that you follow these guidelines to avoid any confusion between legitimate research and malicious attack, we ask that you attempt, in good faith, to comply with the following:

• Testing must not violate any law or compromise any data that is not yours

• Please refrain from the following:

  • Denial of Service attacks and Active Exploits against the Filecoin network or Filecoin miners and nodes
  • Social engineering and phishing of Filecoin project contributors, ecosystem collaborators or community members
  • Physical or electronic attempts to access offices where project contributors work or data centers where Filecoin nodes are located
  • Compromising user accounts or stealing funds

• Please report any vulnerability you’ve discovered promptly.

• Help us improve this security process as it is critical to our mission by suggesting improvements

• Avoid violating the privacy of Filecoin users and community members, disrupting their systems, destroying data, stealing funds and/or harming the user experience

• Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope

• Interact only with test accounts you own or with explicit permission from the account holder

• If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately

• Play by the rules. This includes following the law, this policy and any other relevant agreements and policies, including the abiding by the Filecoin Community Code of Conduct in all communications, discussions or posts related to this program or your discovered vulnerability.

• Use only official channels (email security@filecoin.org or Keybase chat) to discuss vulnerability information with us

• Handle the confidentiality of details of any discovered vulnerabilities according to our Disclosure Policy

Recent Submissions

Hall of Fame

2023

• Mohamed Haroun
  
• Corrie Sloot
  
• HolyBugx
  
• Milan Katawal
  
• Gaurav Bhatia
  
• Pratik Shetty
  
• Krutika Thakur
  

2022

• Swapnil Kothawade
  
• Anumpam Singh
  
• Beni Budiharto

2021

• Ezequiel Raynaudo
  
• Nishant Das
  
• cryptowhizzard
  
• ItsUnixIKnowThis
  
• Swapnil Kothawade
  
• Joran Honig
  
• Tin Tin
  
• robyhugeman
  
• yangming