blockworks-foundation
/
solana
mirror of https://github.com/blockworks-foundation/solana.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Update SECURITY.md 

heading anchors
This commit is contained in:
Trent Nelson 2022-05-20 15:33:32 -06:00 committed by GitHub
parent c5792eddf1
commit 527b4ac76c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
SECURITY.md
View File

@ -74,36 +74,36 @@ We currently do not use the Github workflow to publish security advisories. Once
## Security Bug Bounties
We offer bounties for critical security issues. Please see below for more details.
Loss of Funds:
#### Loss of Funds:
$2,000,000 USD in locked SOL tokens (locked for 12 months)
* Theft of funds without users signature from any account
* Theft of funds without users interaction in system, token, stake, vote programs
* Theft of funds that requires users signature - creating a vote program that drains the delegated stakes.
Consensus/Safety Violations:
#### Consensus/Safety Violations:
$1,000,000 USD in locked SOL tokens (locked for 12 months)
* Consensus safety violation
* Tricking a validator to accept an optimistic confirmation or rooted slot without a double vote, etc.
Liveness / Loss of Availability:
#### Liveness / Loss of Availability:
$400,000 USD in locked SOL tokens (locked for 12 months)
* Whereby consensus halts and requires human intervention
* Eclipse attacks,
* Remote attacks that partition the network,
DoS Attacks:
#### DoS Attacks:
$100,000 USD in locked SOL tokens (locked for 12 months)
* Remote resource exaustion via Non-RPC protocols
Supply Chain Attacks:
#### Supply Chain Attacks:
$100,000 USD in locked SOL tokens (locked for 12 months)
* Non-social attacks against source code change management, automated testing, release build, release publication and release hosting infrastructure of the monorepo.
RPC DoS/Crashes:
#### RPC DoS/Crashes:
$5,000 USD in locked SOL tokens (locked for 12 months)
* RPC attacks
Out of Scope:
### Out of Scope:
The following components are out of scope for the bounty program
* Metrics: `/metrics` in the monorepo as well as https://metrics.solana.com
* Explorer: `/explorer` in the monorepo as well as https://explorer.solana.com
@ -111,13 +111,13 @@ The following components are out of scope for the bounty program
* Bugs in dependencies. Please take them upstream!
* Attacks that require social engineering
Eligibility:
### Eligibility:
* The participant submitting the bug report shall follow the process outlined within this document
* Valid exploits can be eligible even if they are not successfully executed on the cluster
* Multiple submissions for the same class of exploit are still eligible for compensation, though may be compensated at a lower rate, however these will be assessed on a case-by-case basis
* Participants must complete KYC and sign the participation agreement here when the registrations are open https://solana.foundation/kyc. Security exploits will still be assessed and open for submission at all times. This needs only be done prior to distribution of tokens.
Payment of Bug Bounties:
### Payment of Bug Bounties:
* Bounties are currently awarded on a rolling/weekly basis and paid out within 15 days upon receipt of an invoice.
* The SOL/USD conversion rate used for payments is the market price of SOL (denominated in USD) at the end of the day the invoice is submitted by the researcher.
* The reference for this price is the Closing Price given by Coingecko.com on that date given here: https://www.coingecko.com/en/coins/solana/historical_data/usd#panel