Update SECURITY.md (#34800)
Added announcement of changes in bounty payouts AND added the high/low for each payout under the respective category
This commit is contained in:
parent
9edf65b877
commit
79b9999f08
34
SECURITY.md
34
SECURITY.md
|
@ -99,33 +99,55 @@ At its sole discretion, the Solana Foundation may offer a bounty for
|
||||||
for more details. The submitter is not required to provide a
|
for more details. The submitter is not required to provide a
|
||||||
mitigation to qualify.
|
mitigation to qualify.
|
||||||
|
|
||||||
|
#### IMPORTANT | PLEASE NOTE
|
||||||
|
_Beginning February 1st 2024, the Security bounty program payouts will be updated in the following ways:_
|
||||||
|
- _Bug Bounty rewards will be denominated in SOL tokens, rather than USD value._
|
||||||
|
_This change is to better reflect for changing value of the Solana network._
|
||||||
|
- _Categories will now have a discretionary range to distinguish the varying severity_
|
||||||
|
_and impact of bugs reported within each broader category._
|
||||||
|
|
||||||
|
_Note: Payments will continue to be paid out in 12-month locked SOL._
|
||||||
|
|
||||||
|
|
||||||
#### Loss of Funds:
|
#### Loss of Funds:
|
||||||
$2,000,000 USD in locked SOL tokens (locked for 12 months)
|
Current: $2,000,000 USD in locked SOL tokens (locked for 12 months)<br/>
|
||||||
|
_**As of 2/1/24:** Max: 25,000 SOL tokens. Min: 6,250 SOL tokens_
|
||||||
|
|
||||||
* Theft of funds without users signature from any account
|
* Theft of funds without users signature from any account
|
||||||
* Theft of funds without users interaction in system, stake, vote programs
|
* Theft of funds without users interaction in system, stake, vote programs
|
||||||
* Theft of funds that requires users signature - creating a vote program that drains the delegated stakes.
|
* Theft of funds that requires users signature - creating a vote program that drains the delegated stakes.
|
||||||
|
|
||||||
#### Consensus/Safety Violations:
|
#### Consensus/Safety Violations:
|
||||||
$1,000,000 USD in locked SOL tokens (locked for 12 months)
|
Current: $1,000,000 USD in locked SOL tokens (locked for 12 months)<br/>
|
||||||
|
_**As of 2/1/24:** Max: 12,500 SOL tokens. Min: 3,125 SOL tokens_
|
||||||
|
|
||||||
* Consensus safety violation
|
* Consensus safety violation
|
||||||
* Tricking a validator to accept an optimistic confirmation or rooted slot without a double vote, etc.
|
* Tricking a validator to accept an optimistic confirmation or rooted slot without a double vote, etc.
|
||||||
|
|
||||||
#### Liveness / Loss of Availability:
|
#### Liveness / Loss of Availability:
|
||||||
$400,000 USD in locked SOL tokens (locked for 12 months)
|
Current: $400,000 USD in locked SOL tokens (locked for 12 months)<br/>
|
||||||
|
_**As of 2/1/24:** Max: 5,000 SOL tokens. Min: 1,250 SOL tokens_
|
||||||
|
|
||||||
* Whereby consensus halts and requires human intervention
|
* Whereby consensus halts and requires human intervention
|
||||||
* Eclipse attacks,
|
* Eclipse attacks,
|
||||||
* Remote attacks that partition the network,
|
* Remote attacks that partition the network,
|
||||||
|
|
||||||
#### DoS Attacks:
|
#### DoS Attacks:
|
||||||
$100,000 USD in locked SOL tokens (locked for 12 months)
|
Current: $100,000 USD in locked SOL tokens (locked for 12 months)<br/>
|
||||||
|
_**As of 2/1/24:** Max: 1,250 SOL tokens. Min: 315 SOL tokens_
|
||||||
|
|
||||||
* Remote resource exhaustion via Non-RPC protocols
|
* Remote resource exhaustion via Non-RPC protocols
|
||||||
|
|
||||||
#### Supply Chain Attacks:
|
#### Supply Chain Attacks:
|
||||||
$100,000 USD in locked SOL tokens (locked for 12 months)
|
Current: $100,000 USD in locked SOL tokens (locked for 12 months)<br/>
|
||||||
|
_**As of 2/1/24:** Max: 1,250 SOL tokens. Min: 315 SOL tokens_
|
||||||
|
|
||||||
* Non-social attacks against source code change management, automated testing, release build, release publication and release hosting infrastructure of the monorepo.
|
* Non-social attacks against source code change management, automated testing, release build, release publication and release hosting infrastructure of the monorepo.
|
||||||
|
|
||||||
#### RPC DoS/Crashes:
|
#### RPC DoS/Crashes:
|
||||||
$5,000 USD in locked SOL tokens (locked for 12 months)
|
Current: $5,000 USD in locked SOL tokens (locked for 12 months)<br/>
|
||||||
|
_**As of 2/1/24:** Max: 65 SOL tokens. Min: 20 SOL tokens_
|
||||||
|
|
||||||
* RPC attacks
|
* RPC attacks
|
||||||
|
|
||||||
### Out of Scope:
|
### Out of Scope:
|
||||||
|
|
Loading…
Reference in New Issue