From 527b4ac76cfe97eccbf7947309a9be300d269b33 Mon Sep 17 00:00:00 2001 From: Trent Nelson Date: Fri, 20 May 2022 15:33:32 -0600 Subject: [PATCH] Update SECURITY.md heading anchors --- SECURITY.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 270110f773..d628f54f3b 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -74,36 +74,36 @@ We currently do not use the Github workflow to publish security advisories. Once ## Security Bug Bounties We offer bounties for critical security issues. Please see below for more details. -Loss of Funds: +#### Loss of Funds: $2,000,000 USD in locked SOL tokens (locked for 12 months) * Theft of funds without users signature from any account * Theft of funds without users interaction in system, token, stake, vote programs * Theft of funds that requires users signature - creating a vote program that drains the delegated stakes. -Consensus/Safety Violations: +#### Consensus/Safety Violations: $1,000,000 USD in locked SOL tokens (locked for 12 months) * Consensus safety violation * Tricking a validator to accept an optimistic confirmation or rooted slot without a double vote, etc. -Liveness / Loss of Availability: +#### Liveness / Loss of Availability: $400,000 USD in locked SOL tokens (locked for 12 months) * Whereby consensus halts and requires human intervention * Eclipse attacks, * Remote attacks that partition the network, -DoS Attacks: +#### DoS Attacks: $100,000 USD in locked SOL tokens (locked for 12 months) * Remote resource exaustion via Non-RPC protocols -Supply Chain Attacks: +#### Supply Chain Attacks: $100,000 USD in locked SOL tokens (locked for 12 months) * Non-social attacks against source code change management, automated testing, release build, release publication and release hosting infrastructure of the monorepo. -RPC DoS/Crashes: +#### RPC DoS/Crashes: $5,000 USD in locked SOL tokens (locked for 12 months) * RPC attacks -Out of Scope: +### Out of Scope: The following components are out of scope for the bounty program * Metrics: `/metrics` in the monorepo as well as https://metrics.solana.com * Explorer: `/explorer` in the monorepo as well as https://explorer.solana.com @@ -111,13 +111,13 @@ The following components are out of scope for the bounty program * Bugs in dependencies. Please take them upstream! * Attacks that require social engineering -Eligibility: +### Eligibility: * The participant submitting the bug report shall follow the process outlined within this document * Valid exploits can be eligible even if they are not successfully executed on the cluster * Multiple submissions for the same class of exploit are still eligible for compensation, though may be compensated at a lower rate, however these will be assessed on a case-by-case basis * Participants must complete KYC and sign the participation agreement here when the registrations are open https://solana.foundation/kyc. Security exploits will still be assessed and open for submission at all times. This needs only be done prior to distribution of tokens. -Payment of Bug Bounties: +### Payment of Bug Bounties: * Bounties are currently awarded on a rolling/weekly basis and paid out within 15 days upon receipt of an invoice. * The SOL/USD conversion rate used for payments is the market price of SOL (denominated in USD) at the end of the day the invoice is submitted by the researcher. * The reference for this price is the Closing Price given by Coingecko.com on that date given here: https://www.coingecko.com/en/coins/solana/historical_data/usd#panel