From e681d8bf6132b7c920504e718c9fd41652236b8f Mon Sep 17 00:00:00 2001
From: Jon C <me@jonc.dev>
Date: Tue, 9 Jan 2024 12:26:11 +0100
Subject: [PATCH] security-policy: Refer to SPL for on-chain programs (#34697)

* security-policy: Refer to SPL for on-chain programs

* Add SPL as a bullet point instead

* Remove reference to token

* Add another bit about SPL at the top
---
 SECURITY.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/SECURITY.md b/SECURITY.md
index a27ccbe1f2..2938bf7bb3 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -14,6 +14,10 @@ Provide a helpful title, detailed description of the vulnerability and an exploi
 proof-of-concept. Speculative submissions without proof-of-concept will be closed
 with no further consideration.
 
+Please refer to the
+[Solana Program Library (SPL) security policy](https://github.com/solana-labs/solana-program-library/security/policy)
+for vulnerabilities regarding SPL programs such as SPL Token.
+
 If you haven't done so already, please **enable two-factor auth** in your GitHub account.
 
 Expect a response as fast as possible in the advisory, typically within 72 hours.
@@ -98,7 +102,7 @@ mitigation to qualify.
 #### Loss of Funds:
 $2,000,000 USD in locked SOL tokens (locked for 12 months)
 * Theft of funds without users signature from any account
-* Theft of funds without users interaction in system, token, stake, vote programs
+* Theft of funds without users interaction in system, stake, vote programs
 * Theft of funds that requires users signature - creating a vote program that drains the delegated stakes.
 
 #### Consensus/Safety Violations:
@@ -133,6 +137,8 @@ The following components are out of scope for the bounty program
 * Any undeveloped automated tooling (scanners, etc) results. (OK with developed PoC)
 * Any asset whose source code does not exist in this repository (including, but not limited
 to, any and all web properties not explicitly listed on this page)
+* Programs in the Solana Program Library, such as SPL Token. Please refer to the
+[SPL security policy](https://github.com/solana-labs/solana-program-library/security/policy).
 
 ### Eligibility:
 * Submissions _MUST_ include an exploit proof-of-concept to be considered eligible