SECURITY.md: Require exploit PoC for submission consideration (#31113)

This commit is contained in:
Trent Nelson 2023-04-11 19:32:48 -06:00 committed by GitHub
parent 31784b2ecc
commit 7f7351d763
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 3 deletions

View File

@ -10,7 +10,9 @@
**DO NOT CREATE A GITHUB ISSUE** to report a security problem.
Instead please use this [Report a Vulnerability](https://github.com/solana-labs/solana/security/advisories/new) link.
Provide a helpful title and detailed description of the problem.
Provide a helpful title, detailed description of the vulnerability and an exploit
proof-of-concept. Speculative submissions without proof-of-concept will be closed
with no further consideration.
If you haven't done so already, please **enable two-factor auth** in your GitHub account.
@ -73,7 +75,8 @@ Since the software version will not change after the patch is applied, request t
Once the fix has been deployed to the security group validators, the patches from the security advisory may be merged into the main source repository. A new official release for each affected branch should be shipped and all validators requested to upgrade as quickly as possible.
### 7. Security Advisory Bounty Accounting and Cleanup
If this issue is eligible for a bounty, prefix the title of the security advisory with one of the following, depending on the severity:
If this issue is [eligible](#eligibility) for a bounty, prefix the title of the
security advisory with one of the following, depending on the severity:
- [Bounty Category: Critical: Loss of Funds]
- [Bounty Category: Critical: Consensus / Safety Violations]
- [Bounty Category: Critical: Liveness / Loss of Availability]
@ -132,8 +135,9 @@ The following components are out of scope for the bounty program
to, any and all web properties not explicitly listed on this page)
### Eligibility:
* Submissions _MUST_ include an exploit proof-of-concept to be considered eligible
* The participant submitting the bug report shall follow the process outlined within this document
* Valid exploits can be eligible even if they are not successfully executed on the cluster
* Valid exploits can be eligible even if they are not successfully executed on a public cluster
* Multiple submissions for the same class of exploit are still eligible for compensation, though may be compensated at a lower rate, however these will be assessed on a case-by-case basis
* Participants must complete KYC and sign the participation agreement here when the registrations are open https://solana.foundation/kyc. Security exploits will still be assessed and open for submission at all times. This needs only be done prior to distribution of tokens.