Reported security vulnerabilities will be eligible for a Bug Bounty based on Severity, calculated based on its Impact and Likelihood using the OWASP Risk Rating model.
The following is a guide for how points may be allocated to issues reported based on severity:
- Critical: up to 100,000 points
- High: up to 50,000 points
- Medium: up to 15,000 points
- Low: up to 2,500 points
- Note: up to 500 points
Where currently 1 point = 1 USD (payable in USD, DAI or FIL).
Higher rewards will also be paid to reported vulnerabilities that offer quality written descriptions, test code, scripts and detailed instructions, and well-documented fixes.
Evaluation of the significance of the vulnerability and specific bounty amount assigned is at the sole discretion of the Filecoin Security Team, which consists of core developers and contributors.
NOTE: Reporters are responsible for all taxes and all awards subject to applicable law. We are not able to pay bounty awards to individuals who are on a U.S. sanctions list or in a country on a U.S. sanctions list..
We encourage good-faith security research and ask that you follow these guidelines to avoid any confusion between legitimate research and malicious attack, we ask that you attempt, in good faith, to comply with the following:
Testing must not violate any law or compromise any data that is not yours
Please refrain from the following:
- Denial of Service attacks and Active Exploits against the Filecoin network or Filecoin miners and nodes
- Social engineering and phishing of Filecoin project contributors, ecosystem collaborators or community members
- Physical or electronic attempts to access offices where project contributors work or data centers where Filecoin nodes are located
- Compromising user accounts or stealing funds
Please report any vulnerability you’ve discovered promptly.
Help us improve this security process as it is critical to our mission by suggesting improvements
Avoid violating the privacy of Filecoin users and community members, disrupting their systems, destroying data, stealing funds and/or harming the user experience
Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope
Interact only with test accounts you own or with explicit permission from the account holder
If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately
Play by the rules. This includes following this policy as well as any other relevant agreements
Use only official channels (email email@example.com or Keybase chat) to discuss vulnerability information with us
Handle the confidentiality of details of any discovered vulnerabilities according to our Disclosure Policy
In scope for our Bug Bounty program are vulnerabilities in the core protocol and protocol implementations that have been security audited:
- Lotus Core
- Storage Miner
* Implementations undergoing active development that have not yet been security audited are currently not in scope.
Visit the Filecoin Spec: Implementation Status for more information about these projects and their audits.
Filecoin websites and Filecoin infrastructure in general are not part of the bug bounty program.
Third-party services and websites that show information about the Filecoin network (block explorers, stats dashboards, price indicators, miner leaderboards, etc.) are also out of scope.
Vulnerabilities previously submitted by another person or identified in a published audit report are not eligible for bug bounty rewards.
Public disclosure of a vulnerability makes it ineligible for a bug bounty.
Filecoin’s core development team, employees of Protocol Labs, the Filecoin Foundation and others paid by these organizations to work on the Filecoin project, indirectly or directly, are not eligible for bug bounty rewards.
Joran reported arbitrary write vulnerability in go-ipfs.
Swapnil reported Access Control Issues in Github Repository.
cryptowhizzard reported an Denial-Of-Service(DOS) vulnerability in Lotus.
Brijesh reported an exposed Algolia API key in Github.