search

filecoin-project / community

Filecoin community and ecosystem channels, discussion forums, and more
Other
474 stars 164 forks source link

FVM Milestone 1 Bug Bounty Program #504

Open eshon opened 2 years ago

eshon commented 2 years ago

About

The Filecoin Virtual Machine is a new and exciting addition to the Filecoin protocol to support user-programmability and EVM-compatibility.

The FVM will be added to the live Filecoin network in several milestones.

Bug Bounties are now live for FVM Milestone 1 until the end of June.

Milestone 1 is scheduled for deployment to Filecoin mainnet on July 7, 2022 as part of Filecoin network upgrade v16 Skyr.

As part of Milestone 1, the Filecoin network will be transitioning to exclusive use of the FVM. All client implementations will switch from current legacy VMs to the new Wasm-based reference FVM. For M1 built-in actors in Rust (actors are smart contracts in Filecoin) will be supported.

User-programmable actors on the horizon for a later Milestone 2 release in Q3 2022 (estimated).

Rewards

Rewards for FVM bug bounties are the same as in the regular bug bounty program for the Filecoin project.

Reported security vulnerabilities will be eligible for a Bug Bounty based on Severity, calculated based on its Impact and Likelihood using the OWASP Risk Rating model.

Severity Points
Critical up to 100,000
High up to 50,000
Medium up to 15,000
Low up to 2,500
Note up to 500

Where currently 1 point = 1 USD (payable in USD, DAI or FIL).

Higher rewards will also be paid to reported vulnerabilities that offer quality written descriptions, test code, scripts and detailed instructions, and well-documented fixes.

Evaluation of the significance of the vulnerability and specific bounty amount assigned is at the sole discretion of the Filecoin Security Team, which consists of core developers and contributors.

Scope

Ref FVM

Lotus - Ref FVM integration

Lotus - Filecoin FFI

Builtin Actors

Exclusions to Scope including Known Issues are listed here on Github and will be regularly updated.

Submit a Report

To report vulnerabilities, please contact security@filecoin.io to be eligible for bounties.

You can use the confidential reporting guidelines listed here.

Rules

Rules of the regular Filecoin Security Program apply, including what’s Out of Scope.

Bugs in Filecoin client implementations (Lotus, Venus, Forest, Fuhon) and the Filecoin Proofs libraries fall under the regular Filecoin Security Program scope and rewards.

Stay tuned for FVM bug bounties for Milestone 2 this Summer!

gitcoinbot commented 2 years ago

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

This issue now has a funding of 4910.0 DAI (4910.0 USD @ $1.0/DAI) attached to it.

gitcoinbot commented 2 years ago

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

Work for 4910.0 DAI (4910.0 USD @ $1.0/DAI) has been submitted by:

  1. @mopdo

@eshon please take a look at the submitted work: