Security Team Update: March 2025

Security is the backbone of any successful technology ecosystem — especially decentralized ecosystems. The Filecoin Foundation Security Team is dedicated to protecting the Filecoin network and its community of developers, storage providers, and users. The approach to security in a decentralized ecosystem is incredibly broad, and our team has been hard at work designing and scaling a program that can support an ever-growing community. 

The Filecoin Foundation’s Security Team has initiated and grown four primary programs over the last year –– with more to come! Each of these programs enhances Filecoin’s security in a unique way to provide core security capabilities to a sprawling set of organizations and technologies. For storage providers and network contributors, these efforts mean greater confidence that the protocol they rely on is being fortified every day. For developers, it means you have support to build secure products. For investors and Filecoin users, it means the network’s value and data are protected by a comprehensive, professional security apparatus that leaves no stone unturned. In short, the Security Team’s work leads to stronger trust, reliability, and longevity for the Filecoin network.

A Decentralized Incident Response Team

Incident response capabilities can be challenging to coordinate in decentralized systems, where coverage needs to span vast technology platforms spread across different geographies and projects. We’re now coordinating a network of responders to monitor the blockchain and infrastructure around the clock; this decentralized model means 24/7 monitoring across teams and time zones, so threats are addressed rapidly, no matter when or where they occur. This collaborative approach means faster reaction times, a more resilient network, less overhead for responder ramp-up, and ensuring we have the right expertise handling the right problems. The result is an incident response capability that matches Filecoin’s global, decentralized nature and keeps the network stable and robust.

The Filecoin Bug Bounty Program

The Filecoin bug bounty program incentivizes the responsible disclosure of security vulnerabilities, bugs, and issues. We are dedicated to ensuring that any issues submitted through the bug bounty programs are validated, rewarded well, and reach resolution quickly. Since 2020, Filecoin has worked with 100+ top security researchers and rewarded more than $650k+ in bounties. Every submitted bounty is reviewed by FF staff and senior core contributors. This helps to ensure that issues are thoroughly evaluated, rated appropriately, and resolved quickly. 

Continuous Testing and Monitoring

We recognize that real-world threats rarely follow neat, predetermined patterns. Unlike traditional unit or integration tests, which specify known inputs and verify expected outputs, continuous testing uses techniques like chaos engineering, fuzzing, and attribute tampering within a realistic yet controlled simulation environment to uncover “unknown unknowns.” With the continuous testing platform, we are constantly injecting unpredictable or randomized inputs and conditions, enabling us to reveal any subtle or long-buried vulnerabilities that conventional testing and security audits might miss. This is a proactive approach that not only identifies issues that could otherwise remain dormant for years but also equips FF and the ecosystem with actionable data that allows us to stay ahead of some categories of emerging threats.

The Auditor Network

A common frustration when building on any ecosystem is getting a quality security audit. With Security team members who have experience in the auditing industry, FF understands this challenge first-hand. Last year, we kicked off the Auditor Network, which vets auditing teams for knowledge of the Filecoin ecosystem, pre-negotiates rates, and provides specialized development categories so that developers and projects can access more efficient audits. We maintain the Auditor Network to ensure that auditors are responsive, competitively priced, and comprehensive in their audits of Filecoin ecosystem projects.

We believe that by making security fundamentals an easy choice, projects and teams will naturally be inclined to implement security practices. Ultimately, this will result in a more comprehensive and robust security posture across the ecosystem.

While these are the major initiatives over the last year, the Filecoin Foundation security team is continually looking for new ways to garner participation in the security posture of the ecosystem. These efforts are only possible with active participation, and we look to the community to grow and extend these capabilities. If you’re interested in getting involved, please reach out to security@fil.org.