lotus/SECURITY.md

# Security Policy

## Reporting a Vulnerability

For reporting security vulnerabilities/bugs, please consult our Security Policy and Responsible Disclosure Program information at https://github.com/filecoin-project/community/blob/master/SECURITY.md. Security vulnerabilities should be reported via our [Vulnerability Reporting channels](https://github.com/filecoin-project/community/blob/master/SECURITY.md#vulnerability-reporting) and will be eligible for a [Bug Bounty](https://security.filecoin.io/bug-bounty/).

Please try to provide a clear description of any bugs reported, along with how to reproduce the bug if possible. More detailed bug reports (especially those with a PoC included) will help us move forward much faster. Additionally, please avoid reporting bugs that already have open issues. Take a moment to search the issue list of the related GitHub repositories before writing up a new report.

Here are some examples of bugs we would consider to be security vulnerabilities:

* If you can spend from a `multisig` wallet you do not control the keys for.
* If you can cause a miner to be slashed without them actually misbehaving.
* If you can maintain power without submitting windowed posts regularly.
* If you can craft a message that causes lotus nodes to panic.
* If you can cause your miner to win significantly more blocks than it should.
* If you can craft a message that causes a persistent fork in the network.
* If you can cause the total amount of Filecoin in the network to no longer be 2 billion.

This is not an exhaustive list, but should provide some idea of what we consider as a security vulnerability, . 

## Reporting a non security bug

For non-security bugs, please simply file a GitHub [issue](https://github.com/filecoin-project/lotus/issues/new?template=bug_report.md).
doc: report a vulnerability 2020-06-22 15:45:24 +00:00			`# Security Policy`

			`## Reporting a Vulnerability`

Update SECURITY.md (#5246) Based on feedback from @zgfzgf and a few others - recommending that we make this change to offer more clarity on what is meant by security issues (which are not always "Critical" in severity). 2020-12-23 03:48:25 +00:00			`For reporting security vulnerabilities/bugs, please consult our Security Policy and Responsible Disclosure Program information at https://github.com/filecoin-project/community/blob/master/SECURITY.md. Security vulnerabilities should be reported via our [Vulnerability Reporting channels](https://github.com/filecoin-project/community/blob/master/SECURITY.md#vulnerability-reporting) and will be eligible for a [Bug Bounty](https://security.filecoin.io/bug-bounty/).`
doc: report a vulnerability 2020-06-22 15:45:24 +00:00
			`Please try to provide a clear description of any bugs reported, along with how to reproduce the bug if possible. More detailed bug reports (especially those with a PoC included) will help us move forward much faster. Additionally, please avoid reporting bugs that already have open issues. Take a moment to search the issue list of the related GitHub repositories before writing up a new report.`

Update SECURITY.md (#5246) Based on feedback from @zgfzgf and a few others - recommending that we make this change to offer more clarity on what is meant by security issues (which are not always "Critical" in severity). 2020-12-23 03:48:25 +00:00			`Here are some examples of bugs we would consider to be security vulnerabilities:`
doc: report a vulnerability 2020-06-22 15:45:24 +00:00
			* If you can spend from a `multisig` wallet you do not control the keys for.
			`* If you can cause a miner to be slashed without them actually misbehaving.`
			`* If you can maintain power without submitting windowed posts regularly.`
			`* If you can craft a message that causes lotus nodes to panic.`
			`* If you can cause your miner to win significantly more blocks than it should.`
			`* If you can craft a message that causes a persistent fork in the network.`
			`* If you can cause the total amount of Filecoin in the network to no longer be 2 billion.`

Update SECURITY.md (#5246) Based on feedback from @zgfzgf and a few others - recommending that we make this change to offer more clarity on what is meant by security issues (which are not always "Critical" in severity). 2020-12-23 03:48:25 +00:00			`This is not an exhaustive list, but should provide some idea of what we consider as a security vulnerability, .`
doc: report a vulnerability 2020-06-22 15:45:24 +00:00
Update SECURITY.md 2020-10-14 13:11:30 +00:00			`## Reporting a non security bug`
doc: report a vulnerability 2020-06-22 15:45:24 +00:00
Update SECURITY.md (#5246) Based on feedback from @zgfzgf and a few others - recommending that we make this change to offer more clarity on what is meant by security issues (which are not always "Critical" in severity). 2020-12-23 03:48:25 +00:00			`For non-security bugs, please simply file a GitHub [issue](https://github.com/filecoin-project/lotus/issues/new?template=bug_report.md).`