blockworks-foundation
/
solana
mirror of https://github.com/blockworks-foundation/solana.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

SECURITY.md: Require exploit PoC for submission consideration (#31113)

This commit is contained in:
Trent Nelson 2023-04-11 19:32:48 -06:00 committed by GitHub
parent 31784b2ecc
commit 7f7351d763
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
SECURITY.md
View File

@ -10,7 +10,9 @@
**DO NOT CREATE A GITHUB ISSUE** to report a security problem. **DO NOT CREATE A GITHUB ISSUE** to report a security problem.
Instead please use this [Report a Vulnerability](https://github.com/solana-labs/solana/security/advisories/new) link. Instead please use this [Report a Vulnerability](https://github.com/solana-labs/solana/security/advisories/new) link.
Provide a helpful title and detailed description of the problem. Provide a helpful title, detailed description of the vulnerability and an exploit
proof-of-concept. Speculative submissions without proof-of-concept will be closed
with no further consideration.
If you haven't done so already, please **enable two-factor auth** in your GitHub account. If you haven't done so already, please **enable two-factor auth** in your GitHub account.
@ -73,7 +75,8 @@ Since the software version will not change after the patch is applied, request t
Once the fix has been deployed to the security group validators, the patches from the security advisory may be merged into the main source repository. A new official release for each affected branch should be shipped and all validators requested to upgrade as quickly as possible. Once the fix has been deployed to the security group validators, the patches from the security advisory may be merged into the main source repository. A new official release for each affected branch should be shipped and all validators requested to upgrade as quickly as possible.
### 7. Security Advisory Bounty Accounting and Cleanup ### 7. Security Advisory Bounty Accounting and Cleanup
If this issue is eligible for a bounty, prefix the title of the security advisory with one of the following, depending on the severity: If this issue is [eligible](#eligibility) for a bounty, prefix the title of the
security advisory with one of the following, depending on the severity:
- [Bounty Category: Critical: Loss of Funds] - [Bounty Category: Critical: Loss of Funds]
- [Bounty Category: Critical: Consensus / Safety Violations] - [Bounty Category: Critical: Consensus / Safety Violations]
- [Bounty Category: Critical: Liveness / Loss of Availability] - [Bounty Category: Critical: Liveness / Loss of Availability]
@ -132,8 +135,9 @@ The following components are out of scope for the bounty program
to, any and all web properties not explicitly listed on this page) to, any and all web properties not explicitly listed on this page)
### Eligibility: ### Eligibility:
* Submissions _MUST_ include an exploit proof-of-concept to be considered eligible
* The participant submitting the bug report shall follow the process outlined within this document * The participant submitting the bug report shall follow the process outlined within this document
* Valid exploits can be eligible even if they are not successfully executed on the cluster * Valid exploits can be eligible even if they are not successfully executed on a public cluster
* Multiple submissions for the same class of exploit are still eligible for compensation, though may be compensated at a lower rate, however these will be assessed on a case-by-case basis * Multiple submissions for the same class of exploit are still eligible for compensation, though may be compensated at a lower rate, however these will be assessed on a case-by-case basis
* Participants must complete KYC and sign the participation agreement here when the registrations are open https://solana.foundation/kyc. Security exploits will still be assessed and open for submission at all times. This needs only be done prior to distribution of tokens. * Participants must complete KYC and sign the participation agreement here when the registrations are open https://solana.foundation/kyc. Security exploits will still be assessed and open for submission at all times. This needs only be done prior to distribution of tokens.