From 2754e40dcde252d714e3c7da2fa60718b36c134b Mon Sep 17 00:00:00 2001 From: Jon C Date: Mon, 8 Jan 2024 19:26:56 +0100 Subject: [PATCH 1/4] security-policy: Refer to SPL for on-chain programs --- SECURITY.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index a27ccbe1f2da4a..2214ab7d300cb1 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -134,6 +134,11 @@ The following components are out of scope for the bounty program * Any asset whose source code does not exist in this repository (including, but not limited to, any and all web properties not explicitly listed on this page) +The Solana Program Library has its own security policy for on-chain programs, +such as spl-token, which is not covered here. For more information, please refer +to the +[SPL security policy](https://github.com/solana-labs/solana-program-library/security/policy). + ### Eligibility: * Submissions _MUST_ include an exploit proof-of-concept to be considered eligible * The participant submitting the bug report shall follow the process outlined within this document From 5fea5363113b8817c1f126b1fbd6a5b7ccd27e8c Mon Sep 17 00:00:00 2001 From: Jon C Date: Mon, 8 Jan 2024 21:16:48 +0100 Subject: [PATCH 2/4] Add SPL as a bullet point instead --- SECURITY.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 2214ab7d300cb1..97faa852b4d6be 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -133,10 +133,7 @@ The following components are out of scope for the bounty program * Any undeveloped automated tooling (scanners, etc) results. (OK with developed PoC) * Any asset whose source code does not exist in this repository (including, but not limited to, any and all web properties not explicitly listed on this page) - -The Solana Program Library has its own security policy for on-chain programs, -such as spl-token, which is not covered here. For more information, please refer -to the +* Programs in the Solana Program Library, such as SPL Token. Please refer to the [SPL security policy](https://github.com/solana-labs/solana-program-library/security/policy). ### Eligibility: From eb28381232be6d575e7f3904779a0a337a4bbb9b Mon Sep 17 00:00:00 2001 From: Jon C Date: Tue, 9 Jan 2024 01:15:30 +0100 Subject: [PATCH 3/4] Remove reference to token --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 97faa852b4d6be..1811cfc02b0e16 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -98,7 +98,7 @@ mitigation to qualify. #### Loss of Funds: $2,000,000 USD in locked SOL tokens (locked for 12 months) * Theft of funds without users signature from any account -* Theft of funds without users interaction in system, token, stake, vote programs +* Theft of funds without users interaction in system, stake, vote programs * Theft of funds that requires users signature - creating a vote program that drains the delegated stakes. #### Consensus/Safety Violations: From e93829262d3125a376f87f7a21ea449572110020 Mon Sep 17 00:00:00 2001 From: Jon C Date: Tue, 9 Jan 2024 03:37:13 +0100 Subject: [PATCH 4/4] Add another bit about SPL at the top --- SECURITY.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 1811cfc02b0e16..2938bf7bb328e6 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -14,6 +14,10 @@ Provide a helpful title, detailed description of the vulnerability and an exploi proof-of-concept. Speculative submissions without proof-of-concept will be closed with no further consideration. +Please refer to the +[Solana Program Library (SPL) security policy](https://github.com/solana-labs/solana-program-library/security/policy) +for vulnerabilities regarding SPL programs such as SPL Token. + If you haven't done so already, please **enable two-factor auth** in your GitHub account. Expect a response as fast as possible in the advisory, typically within 72 hours.