Reported security vulnerabilities will be eligible for a Bug Bounty based on Severity, calculated based on its Impact and Likelihood using the OWASP Risk Rating model.
The following is a guide for how points may be allocated to issues reported based on severity:
- Critical: up to 500,000 points
- High: up to 100,000 points
- Medium: up to 25,000 points
- Low: up to 10,000 points
- None: up to 5,000 points
Where currently 1 point = 1 USD (payable in USD, USDC).
Higher rewards will also be paid to reported vulnerabilities that offer quality written descriptions, test code, scripts and detailed instructions, and well-documented fixes.
Evaluation of the significance of the vulnerability and specific bounty amount assigned is at the sole discretion of the Filecoin Security Team, which consists of core developers and contributors.
NOTE: Reporters are responsible for all taxes and all awards subject to applicable law. We are not able to pay bounty awards to individuals who are on a U.S. sanctions list or in a country on a U.S. sanctions list.
Scope (now includes reports for the FEVM implementation)
In scope for our Bug Bounty program are vulnerabilities in the core protocol and protocol implementations that have been security audited:
|Impact In Scope
|Network not being able to confirm new transactions (Total network shutdown)
|Unintended permanent chain split requiring hard fork (Network partition requiring hard fork)
|Direct loss of funds
|Permanent, repeatable freezing of funds affecting core protocol areas (fix requires hard fork)
|RPC API crash capable of impacting block production
|Protocol-level bug causing breakage of all contracts deployed on the chain
|Protocol-level bug that enables tricking contracts into sending funds to arbitrary addresses
|Unintended chain split (Network partition) with localized impacts
|Transient consensus failures
|Inability to propagate new transactions
|Protocol-level bug preventing contracts from using their funds
|Protocol-level bug causing the inability for developers to deploy new smart contracts
|Protocol-level bug rendering a single contract unusable after the exploit (i.e. contract bricked)
|High compute consumption by validator/mining nodes
|Attacks against thin clients
|DoS of greater than 30% of validator or miner nodes and does not shut down the network
|EVM instruction fails to execute, in a general way
|Inability to deploy a contract under a specific circumstances
|DoS of greater than 10% but less than 30% of validator or miner nodes and does not shut down the network
|Underpricing transaction fees relative to computation time
|Contract on the platform fails to deliver promised returns, but doesn’t lose values
|EVM instruction fails to execute when provided with concrete parameters
Important notice for the issue criteria that is presented in the table:
- Security reports that are not explicitly listed in the table will still be reviewed and matched up against the severity classification based on their impact.
- We have payment terms of upto 30 days after the invoice is generated.
- Reference FVM (ref-fvm)
- Reference implementation of the Filecoin VM (Repository).
- Reference FVM (ref-fvm)
* Implementations undergoing active development that have not yet been security audited are currently not in scope.
Visit the Filecoin Spec: Implementation Status for more information about these projects and their audits.
Filecoin websites and Filecoin infrastructure in general are not part of the bug bounty program.
Third-party services and websites that show information about the Filecoin network (block explorers, stats dashboards, price indicators, miner leaderboards, etc.) are also out of scope.
Vulnerabilities previously submitted by another person or identified in a published audit report are not eligible for bug bounty rewards.
Any smart contract deployed on the FVM platfom is not a part of the bug bounty program.
Public disclosure of a vulnerability makes it ineligible for a bug bounty.
Current and former members of the Filecoin core development team, and current and former employees, contractors and others who have been paid by Protocol Labs or the Filecoin Foundation to work on the Filecoin project, indirectly or directly, are not eligible for bug bounty rewards.
We encourage good-faith security research and ask that you follow these guidelines to avoid any confusion between legitimate research and malicious attack, we ask that you attempt, in good faith, to comply with the following:
Testing must not violate any law or compromise any data that is not yours
Please refrain from the following:
- Denial of Service attacks and Active Exploits against the Filecoin network or Filecoin miners and nodes
- Social engineering and phishing of Filecoin project contributors, ecosystem collaborators or community members
- Physical or electronic attempts to access offices where project contributors work or data centers where Filecoin nodes are located
- Compromising user accounts or stealing funds
Please report any vulnerability you’ve discovered promptly.
Help us improve this security process as it is critical to our mission by suggesting improvements
Avoid violating the privacy of Filecoin users and community members, disrupting their systems, destroying data, stealing funds and/or harming the user experience
Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope
Interact only with test accounts you own or with explicit permission from the account holder
If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately
Play by the rules. This includes following the law, this policy and any other relevant agreements and policies, including the abiding by the Filecoin Community Code of Conduct in all communications, discussions or posts related to this program or your discovered vulnerability.
Use only official channels (email firstname.lastname@example.org or Keybase chat) to discuss vulnerability information with us
Handle the confidentiality of details of any discovered vulnerabilities according to our Disclosure Policy
Joran reported arbitrary write vulnerability in go-ipfs.
Swapnil reported Access Control Issues in Github Repository.
cryptowhizzard reported an Denial-Of-Service(DOS) vulnerability in Lotus.
Brijesh reported an exposed Algolia API key in Github.