security-policy: Refer to SPL for on-chain programs

[joncinque]

Problem

It's not clear that the SPL has its own security policy for those just looking at the monorepo security policy, and in fact confused a few people.

Summary of Changes

In the "Out of Scope" section, add a link to the SPL security policy.

Fixes #

[t-nelson]

wdyt about shortening to a new item in the bulleted list and adding something similar at in the first section of the doc? "Please report Solana Program Library (SPL) vulns to ..."

[t-nelson]

were you planning to add similar at the top of the doc or nah?

[joncinque]

Ah sorry, it looks like I was in "review" mode and not "respond to comment" mode, so my response didn't get published.

I wasn't sure where to put it at the top, so it seemed easiest to just add the point in the list.

I did notice that "token" is called out in the "loss of funds" section though on line 101. Do you want to keep that there or should I remove it?

[t-nelson]

Ah sorry, it looks like I was in "review" mode and not "respond to comment" mode, so my response didn't get published.

👍

I wasn't sure where to put it at the top, so it seemed easiest to just add the point in the list.

i was thinking up there under the big bold "DO NOT CREATE A GITHUB ISSUE..."

I did notice that "token" is called out in the "loss of funds" section though on line 101. Do you want to keep that there or should I remove it?

oh yeah that should definitely be gone

[joncinque]

i was thinking up there under the big bold "DO NOT CREATE A GITHUB ISSUE..."

I think I put it in the right place, let me know. It read awkwardly to me right after the bold bit, but let me know if you prefer something else

oh yeah that should definitely be gone

Done

[t-nelson]

thanks!