-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Updating Security.md * Refactoring Security.md * Update SECURITY.md --------- Co-authored-by: Phi-rjan <[email protected]>
- Loading branch information
1 parent
312fa3a
commit 8e6ff2a
Showing
1 changed file
with
23 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,23 +1,33 @@ | ||
| # Security Policy | ||
| At Filecoin, we take the security of our software with the utmost seriousness. Ensuring the security of our decentralized network is a critical priority, and we rely on both internal teams and the wider security community to help us safeguard it. | ||
|
|
||
| If you believe you have found a security vulnerability that meets our criteria for a valid security concern, we encourage you to report it through the appropriate channels outlined below. | ||
|
|
||
| ## Reporting a Vulnerability | ||
|
|
||
| For reporting security vulnerabilities/bugs, please consult our Security Policy and Responsible Disclosure Program information at https://github.com/filecoin-project/community/blob/master/SECURITY.md. Security vulnerabilities should be reported via our [Vulnerability Reporting channels](https://github.com/filecoin-project/community/blob/master/SECURITY.md#vulnerability-reporting) and will be eligible for a [Bug Bounty](https://security.filecoin.io/bug-bounty/). | ||
| Please do not report security vulnerabilities via public GitHub issues. | ||
| Instead, we ask that you report potential security issues responsibly through our Bug Bounty Program hosted on Immunefi | ||
|
|
||
| ### Report through Filecoin Bug Bounty Program: | ||
| - We offer rewards for valid security vulnerability reports through our [Immunefi Bug Bounty Program](https://immunefi.com/bounty/filecoin/). This is our preferred method for handling reports, and the program outlines the types of vulnerabilities eligible for rewards. We offer up to 150k USD bounty for consensus critical issues. | ||
|
|
||
| - If you've any questions on eligibility for the bug bounty or security in general, feel free to reach out to us at [email protected]. | ||
|
|
||
| We highly value the contributions of our security researchers and recognize the importance of their work in keeping Filecoin secure. To show our appreciation, we maintain a [leaderboard](https://www.fil.org/security/bug-bounty) on our website, acknowledging top contributors who help us strengthen the network by responsibly disclosing vulnerabilities. Researchers who follow our disclosure guidelines and provide detailed reports will not only be eligible for bounty rewards through our [Immunefi Bug Bounty Program](https://immunefi.com/bounty/filecoin/) but also have the opportunity to earn recognition on our Filecoin Security Leaderboard. | ||
|
|
||
| Please try to provide a clear description of any bugs reported, along with how to reproduce the bug if possible. More detailed bug reports (especially those with a PoC included) will help us move forward much faster. Additionally, please avoid reporting bugs that already have open issues. Take a moment to search the issue list of the related GitHub repositories before writing up a new report. | ||
| ### Information to Include in bug reports | ||
|
|
||
| Here are some examples of bugs we would consider to be security vulnerabilities: | ||
| To help us better assess and address the issue, please provide as much of the following information as possible: | ||
|
|
||
| * If you can spend from a `multisig` wallet you do not control the keys for. | ||
| * If you can cause a miner to be slashed without them actually misbehaving. | ||
| * If you can maintain power without submitting windowed posts regularly. | ||
| * If you can craft a message that causes lotus nodes to panic. | ||
| * If you can cause your miner to win significantly more blocks than it should. | ||
| * If you can craft a message that causes a persistent fork in the network. | ||
| * If you can cause the total amount of Filecoin in the network to no longer be 2 billion. | ||
| - Type of vulnerability (e.g., panics, denial of service, etc.) | ||
| - Affected component or path of the source code (e.g. file paths, branch, commit) | ||
| - Step-by-step instructions to reproduce the vulnerability | ||
| - Proof-of-concept or exploit code (if available) | ||
| - Any necessary configuration details | ||
| - Description of the potential impact and how an attacker could exploit it | ||
|
|
||
| This is not an exhaustive list, but should provide some idea of what we consider as a security vulnerability, . | ||
| More information on the rewards and impact can be found [here](https://immunefi.com/bounty/filecoin). | ||
|
|
||
| ## Reporting a non security bug | ||
| ## Coordinated Disclosure | ||
|
|
||
| For non-security bugs, please simply file a GitHub [issue](https://github.com/filecoin-project/lotus/issues/new?template=bug_report.md). | ||
| Filecoin follows the principle of Coordinated Disclosure Policy (CDP). We ask that security researchers give us a reasonable timeframe to address the issue before making any public disclosures. More information can be found [here](https://www.fil.org/security/coordinated-disclosure-policy). |