If you discover a security vulnerability in Filecoin Pin, please report it responsibly. Do not open a public issue.
Use the Security tab in this repository to submit a private vulnerability report. This reaches the maintainers directly.
If your finding affects the core Filecoin protocol (Lotus, builtin-actors, FVM, F3, and other in-scope repositories), report it through the Filecoin Bug Bounty Program on Immunefi:
The program is administered by Filecoin Foundation and offers bounties for qualifying vulnerabilities. See the Coordinated Disclosure Policy for the full process, timelines, and Safe Harbor provisions.
Filecoin Pin depends on the FOC smart contract stack (Filecoin Pay, FWSS, PDPVerifier). If your finding is in one of these contracts rather than in Filecoin Pin itself, report it via private vulnerability reporting on the affected repository under the FilOzone organization.
- Description of the vulnerability and its potential impact
- Steps to reproduce or a proof of concept
- Affected version(s) or commit(s)
- Any suggested mitigation or fix
- Acknowledgement within 3 business days
- An initial assessment within 10 business days
- We will coordinate with you on disclosure timing
For questions about this policy or the broader Filecoin security program, see fil.org/security.