parent
c5792eddf1
commit
527b4ac76c
18
SECURITY.md
18
SECURITY.md
|
@ -74,36 +74,36 @@ We currently do not use the Github workflow to publish security advisories. Once
|
||||||
## Security Bug Bounties
|
## Security Bug Bounties
|
||||||
We offer bounties for critical security issues. Please see below for more details.
|
We offer bounties for critical security issues. Please see below for more details.
|
||||||
|
|
||||||
Loss of Funds:
|
#### Loss of Funds:
|
||||||
$2,000,000 USD in locked SOL tokens (locked for 12 months)
|
$2,000,000 USD in locked SOL tokens (locked for 12 months)
|
||||||
* Theft of funds without users signature from any account
|
* Theft of funds without users signature from any account
|
||||||
* Theft of funds without users interaction in system, token, stake, vote programs
|
* Theft of funds without users interaction in system, token, stake, vote programs
|
||||||
* Theft of funds that requires users signature - creating a vote program that drains the delegated stakes.
|
* Theft of funds that requires users signature - creating a vote program that drains the delegated stakes.
|
||||||
|
|
||||||
Consensus/Safety Violations:
|
#### Consensus/Safety Violations:
|
||||||
$1,000,000 USD in locked SOL tokens (locked for 12 months)
|
$1,000,000 USD in locked SOL tokens (locked for 12 months)
|
||||||
* Consensus safety violation
|
* Consensus safety violation
|
||||||
* Tricking a validator to accept an optimistic confirmation or rooted slot without a double vote, etc.
|
* Tricking a validator to accept an optimistic confirmation or rooted slot without a double vote, etc.
|
||||||
|
|
||||||
Liveness / Loss of Availability:
|
#### Liveness / Loss of Availability:
|
||||||
$400,000 USD in locked SOL tokens (locked for 12 months)
|
$400,000 USD in locked SOL tokens (locked for 12 months)
|
||||||
* Whereby consensus halts and requires human intervention
|
* Whereby consensus halts and requires human intervention
|
||||||
* Eclipse attacks,
|
* Eclipse attacks,
|
||||||
* Remote attacks that partition the network,
|
* Remote attacks that partition the network,
|
||||||
|
|
||||||
DoS Attacks:
|
#### DoS Attacks:
|
||||||
$100,000 USD in locked SOL tokens (locked for 12 months)
|
$100,000 USD in locked SOL tokens (locked for 12 months)
|
||||||
* Remote resource exaustion via Non-RPC protocols
|
* Remote resource exaustion via Non-RPC protocols
|
||||||
|
|
||||||
Supply Chain Attacks:
|
#### Supply Chain Attacks:
|
||||||
$100,000 USD in locked SOL tokens (locked for 12 months)
|
$100,000 USD in locked SOL tokens (locked for 12 months)
|
||||||
* Non-social attacks against source code change management, automated testing, release build, release publication and release hosting infrastructure of the monorepo.
|
* Non-social attacks against source code change management, automated testing, release build, release publication and release hosting infrastructure of the monorepo.
|
||||||
|
|
||||||
RPC DoS/Crashes:
|
#### RPC DoS/Crashes:
|
||||||
$5,000 USD in locked SOL tokens (locked for 12 months)
|
$5,000 USD in locked SOL tokens (locked for 12 months)
|
||||||
* RPC attacks
|
* RPC attacks
|
||||||
|
|
||||||
Out of Scope:
|
### Out of Scope:
|
||||||
The following components are out of scope for the bounty program
|
The following components are out of scope for the bounty program
|
||||||
* Metrics: `/metrics` in the monorepo as well as https://metrics.solana.com
|
* Metrics: `/metrics` in the monorepo as well as https://metrics.solana.com
|
||||||
* Explorer: `/explorer` in the monorepo as well as https://explorer.solana.com
|
* Explorer: `/explorer` in the monorepo as well as https://explorer.solana.com
|
||||||
|
@ -111,13 +111,13 @@ The following components are out of scope for the bounty program
|
||||||
* Bugs in dependencies. Please take them upstream!
|
* Bugs in dependencies. Please take them upstream!
|
||||||
* Attacks that require social engineering
|
* Attacks that require social engineering
|
||||||
|
|
||||||
Eligibility:
|
### Eligibility:
|
||||||
* The participant submitting the bug report shall follow the process outlined within this document
|
* The participant submitting the bug report shall follow the process outlined within this document
|
||||||
* Valid exploits can be eligible even if they are not successfully executed on the cluster
|
* Valid exploits can be eligible even if they are not successfully executed on the cluster
|
||||||
* Multiple submissions for the same class of exploit are still eligible for compensation, though may be compensated at a lower rate, however these will be assessed on a case-by-case basis
|
* Multiple submissions for the same class of exploit are still eligible for compensation, though may be compensated at a lower rate, however these will be assessed on a case-by-case basis
|
||||||
* Participants must complete KYC and sign the participation agreement here when the registrations are open https://solana.foundation/kyc. Security exploits will still be assessed and open for submission at all times. This needs only be done prior to distribution of tokens.
|
* Participants must complete KYC and sign the participation agreement here when the registrations are open https://solana.foundation/kyc. Security exploits will still be assessed and open for submission at all times. This needs only be done prior to distribution of tokens.
|
||||||
|
|
||||||
Payment of Bug Bounties:
|
### Payment of Bug Bounties:
|
||||||
* Bounties are currently awarded on a rolling/weekly basis and paid out within 15 days upon receipt of an invoice.
|
* Bounties are currently awarded on a rolling/weekly basis and paid out within 15 days upon receipt of an invoice.
|
||||||
* The SOL/USD conversion rate used for payments is the market price of SOL (denominated in USD) at the end of the day the invoice is submitted by the researcher.
|
* The SOL/USD conversion rate used for payments is the market price of SOL (denominated in USD) at the end of the day the invoice is submitted by the researcher.
|
||||||
* The reference for this price is the Closing Price given by Coingecko.com on that date given here: https://www.coingecko.com/en/coins/solana/historical_data/usd#panel
|
* The reference for this price is the Closing Price given by Coingecko.com on that date given here: https://www.coingecko.com/en/coins/solana/historical_data/usd#panel
|
||||||
|
|
Loading…
Reference in New Issue