blockworks-foundation
/
solana
mirror of https://github.com/blockworks-foundation/solana.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

security-policy: Refer to SPL for on-chain programs (#34697) 

* security-policy: Refer to SPL for on-chain programs

* Add SPL as a bullet point instead

* Remove reference to token

* Add another bit about SPL at the top
This commit is contained in:
Jon C 2024-01-09 12:26:11 +01:00 committed by GitHub
parent 5c2d7b6b8a
commit e681d8bf61
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
SECURITY.md
View File

@ -14,6 +14,10 @@ Provide a helpful title, detailed description of the vulnerability and an exploi
proof-of-concept. Speculative submissions without proof-of-concept will be closed proof-of-concept. Speculative submissions without proof-of-concept will be closed
with no further consideration. with no further consideration.
Please refer to the
[Solana Program Library (SPL) security policy](https://github.com/solana-labs/solana-program-library/security/policy)
for vulnerabilities regarding SPL programs such as SPL Token.
If you haven't done so already, please **enable two-factor auth** in your GitHub account. If you haven't done so already, please **enable two-factor auth** in your GitHub account.
Expect a response as fast as possible in the advisory, typically within 72 hours. Expect a response as fast as possible in the advisory, typically within 72 hours.
@ -98,7 +102,7 @@ mitigation to qualify.
#### Loss of Funds: #### Loss of Funds:
$2,000,000 USD in locked SOL tokens (locked for 12 months) $2,000,000 USD in locked SOL tokens (locked for 12 months)
* Theft of funds without users signature from any account * Theft of funds without users signature from any account
* Theft of funds without users interaction in system, token, stake, vote programs * Theft of funds without users interaction in system, stake, vote programs
* Theft of funds that requires users signature - creating a vote program that drains the delegated stakes. * Theft of funds that requires users signature - creating a vote program that drains the delegated stakes.
#### Consensus/Safety Violations: #### Consensus/Safety Violations:
@ -133,6 +137,8 @@ The following components are out of scope for the bounty program
* Any undeveloped automated tooling (scanners, etc) results. (OK with developed PoC) * Any undeveloped automated tooling (scanners, etc) results. (OK with developed PoC)
* Any asset whose source code does not exist in this repository (including, but not limited * Any asset whose source code does not exist in this repository (including, but not limited
to, any and all web properties not explicitly listed on this page) to, any and all web properties not explicitly listed on this page)
* Programs in the Solana Program Library, such as SPL Token. Please refer to the
[SPL security policy](https://github.com/solana-labs/solana-program-library/security/policy).
### Eligibility: ### Eligibility:
* Submissions _MUST_ include an exploit proof-of-concept to be considered eligible * Submissions _MUST_ include an exploit proof-of-concept to be considered eligible