Skip to content

Security: filecoin-project/lotus

Security Navigation

SECURITY.md

Security Policy

At Filecoin, we take the security of our software with the utmost seriousness. Ensuring the security of our decentralized network is a critical priority, and we rely on both internal teams and the wider security community to help us safeguard it.

If you believe you have found a security vulnerability that meets our criteria for a valid security concern, we encourage you to report it through the appropriate channels outlined below.

Reporting a Vulnerability

Please do not report security vulnerabilities via public GitHub issues. Instead, we ask that you report potential security issues responsibly through our Bug Bounty Program hosted on Immunefi

Report through Filecoin Bug Bounty Program:

  • We offer rewards for valid security vulnerability reports through our Immunefi Bug Bounty Program. This is our preferred method for handling reports, and the program outlines the types of vulnerabilities eligible for rewards. We offer up to 150k USD bounty for consensus critical issues.

  • If you've any questions on eligibility for the bug bounty or security in general, feel free to reach out to us at security@fil.org.

We highly value the contributions of our security researchers and recognize the importance of their work in keeping Filecoin secure. To show our appreciation, we maintain a leaderboard on our website, acknowledging top contributors who help us strengthen the network by responsibly disclosing vulnerabilities. Researchers who follow our disclosure guidelines and provide detailed reports will not only be eligible for bounty rewards through our Immunefi Bug Bounty Program but also have the opportunity to earn recognition on our Filecoin Security Leaderboard.

Information to Include in bug reports

To help us better assess and address the issue, please provide as much of the following information as possible:

  • Type of vulnerability (e.g., panics, denial of service, etc.)
  • Affected component or path of the source code (e.g. file paths, branch, commit)
  • Step-by-step instructions to reproduce the vulnerability
  • Proof-of-concept or exploit code (if available)
  • Any necessary configuration details
  • Description of the potential impact and how an attacker could exploit it

More information on the rewards and impact can be found here.

Coordinated Disclosure

Filecoin follows the principle of Coordinated Disclosure Policy (CDP). We ask that security researchers give us a reasonable timeframe to address the issue before making any public disclosures. More information can be found here.