If you discover a security vulnerability in the Filecoin Pin website, please report it responsibly. Do not open a public issue.
Use the Security tab in this repository to submit a private vulnerability report. This reaches the maintainers directly.
If your finding is in the Filecoin Pin CLI or GitHub Action rather than the website, report it on the filecoin-pin repository instead.
If your finding affects the core Filecoin protocol (Lotus, builtin-actors, FVM, F3, and other in-scope repositories), report it through the Filecoin Bug Bounty Program on Immunefi:
The program is administered by Filecoin Foundation and offers bounties for qualifying vulnerabilities. See the Coordinated Disclosure Policy for the full process, timelines, and Safe Harbor provisions.
- Description of the vulnerability and its potential impact
- Steps to reproduce or a proof of concept
- Affected version(s) or commit(s)
- Any suggested mitigation or fix
- Acknowledgement within 3 business days
- An initial assessment within 10 business days
- We will coordinate with you on disclosure timing
For questions about this policy or the broader Filecoin security program, see fil.org/security.