opensource/lotus
1
0
Fork 0
mirror of https://github.com/filecoin-project/lotus.git synced 2025-05-17 15:20:37 +08:00
Code Issues Projects Releases Wiki Activity

chore: update Security.md (#12507)

Browse Source 
* Updating Security.md

* Refactoring Security.md

* Update SECURITY.md

---------

Co-authored-by: Phi-rjan <orjan.roren@gmail.com>
This commit is contained in:
parthshah1
2024-09-23 14:08:26 -04:00
committed by GitHub
parent 312fa3a5cc
commit 8e6ff2ac89
1 changed files with 23 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
SECURITY.md
View File

@ -1,23 +1,33 @@
# Security Policy
At Filecoin, we take the security of our software with the utmost seriousness. Ensuring the security of our decentralized network is a critical priority, and we rely on both internal teams and the wider security community to help us safeguard it.
If you believe you have found a security vulnerability that meets our criteria for a valid security concern, we encourage you to report it through the appropriate channels outlined below.
## Reporting a Vulnerability
For reporting security vulnerabilities/bugs, please consult our Security Policy and Responsible Disclosure Program information at https://github.com/filecoin-project/community/blob/master/SECURITY.md. Security vulnerabilities should be reported via our [Vulnerability Reporting channels](https://github.com/filecoin-project/community/blob/master/SECURITY.md#vulnerability-reporting) and will be eligible for a [Bug Bounty](https://security.filecoin.io/bug-bounty/).
Please do not report security vulnerabilities via public GitHub issues.
Instead, we ask that you report potential security issues responsibly through our Bug Bounty Program hosted on Immunefi
Please try to provide a clear description of any bugs reported, along with how to reproduce the bug if possible. More detailed bug reports (especially those with a PoC included) will help us move forward much faster. Additionally, please avoid reporting bugs that already have open issues. Take a moment to search the issue list of the related GitHub repositories before writing up a new report.
### Report through Filecoin Bug Bounty Program:
- We offer rewards for valid security vulnerability reports through our [Immunefi Bug Bounty Program](https://immunefi.com/bounty/filecoin/). This is our preferred method for handling reports, and the program outlines the types of vulnerabilities eligible for rewards. We offer up to 150k USD bounty for consensus critical issues.
Here are some examples of bugs we would consider to be security vulnerabilities:
- If you've any questions on eligibility for the bug bounty or security in general, feel free to reach out to us at security@fil.org.
* If you can spend from a `multisig` wallet you do not control the keys for.
* If you can cause a miner to be slashed without them actually misbehaving.
* If you can maintain power without submitting windowed posts regularly.
* If you can craft a message that causes lotus nodes to panic.
* If you can cause your miner to win significantly more blocks than it should.
* If you can craft a message that causes a persistent fork in the network.
* If you can cause the total amount of Filecoin in the network to no longer be 2 billion.
We highly value the contributions of our security researchers and recognize the importance of their work in keeping Filecoin secure. To show our appreciation, we maintain a [leaderboard](https://www.fil.org/security/bug-bounty) on our website, acknowledging top contributors who help us strengthen the network by responsibly disclosing vulnerabilities. Researchers who follow our disclosure guidelines and provide detailed reports will not only be eligible for bounty rewards through our [Immunefi Bug Bounty Program](https://immunefi.com/bounty/filecoin/) but also have the opportunity to earn recognition on our Filecoin Security Leaderboard.
This is not an exhaustive list, but should provide some idea of what we consider as a security vulnerability, .
### Information to Include in bug reports
## Reporting a non security bug
To help us better assess and address the issue, please provide as much of the following information as possible:
For non-security bugs, please simply file a GitHub [issue](https://github.com/filecoin-project/lotus/issues/new?template=bug_report.md).
- Type of vulnerability (e.g., panics, denial of service, etc.)
- Affected component or path of the source code (e.g. file paths, branch, commit)
- Step-by-step instructions to reproduce the vulnerability
- Proof-of-concept or exploit code (if available)
- Any necessary configuration details
- Description of the potential impact and how an attacker could exploit it
More information on the rewards and impact can be found [here](https://immunefi.com/bounty/filecoin).
## Coordinated Disclosure
Filecoin follows the principle of Coordinated Disclosure Policy (CDP). We ask that security researchers give us a reasonable timeframe to address the issue before making any public disclosures. More information can be found [here](https://www.fil.org/security/coordinated-disclosure-policy).