If you discover a security vulnerability in any repository under the FilOzone organization, please report it responsibly. Do not open a public issue.
Use GitHub's private vulnerability reporting feature, available in the Security tab of the affected repository. This reaches the FOC engineering team directly.
Repositories covered:
- filecoin-services (FWSS, ServiceProviderRegistry)
- pdp (PDPVerifier)
- filecoin-pay (Filecoin Pay)
- synapse-sdk (Synapse SDK)
- SessionKeyRegistry
- dealbot
Bugs affecting the core Filecoin protocol (Lotus, builtin-actors, FVM, F3, and other in-scope repositories) should be reported through the Filecoin Bug Bounty Program on Immunefi:
The program is administered by Filecoin Foundation and offers bounties for qualifying vulnerabilities. A proof of concept is required for all severity levels. See the Coordinated Disclosure Policy for details on the reporting process, timelines, and Safe Harbor provisions.
The Immunefi bounty program covers the core Filecoin protocol repositories listed on the program page. FOC application-layer repositories (this organization) are not currently in the Immunefi scope, but we take all reports seriously and will coordinate with Filecoin Foundation where a vulnerability has protocol-level implications.
- Description of the vulnerability and its potential impact
- Steps to reproduce or a proof of concept
- Affected version(s) or commit(s)
- Any suggested mitigation or fix
- Acknowledgement within 3 business days
- An initial assessment within 10 business days
- We will coordinate with you on disclosure timing
For questions about this policy, reach out to the Filecoin Foundation security team.