|
|
@@ -0,0 +1,39 @@
|
|
|
+# Security Policy
|
|
|
+
|
|
|
+## Reporting security problems
|
|
|
+
|
|
|
+**DO NOT CREATE A GITHUB ISSUE** to report a security problem.
|
|
|
+
|
|
|
+Instead please use this [Report a Vulnerability](https://github.com/solana-program/token/security/advisories/new) link.
|
|
|
+Provide a helpful title and detailed description of the problem.
|
|
|
+
|
|
|
+If you haven't done so already, please **enable two-factor auth** in your GitHub account.
|
|
|
+
|
|
|
+Expect a response as fast as possible in the advisory, typically within 72 hours.
|
|
|
+
|
|
|
+--
|
|
|
+
|
|
|
+If you do not receive a response in the advisory, send an email to
|
|
|
+<security@anza.xyz> with the full URL of the advisory you have created. DO NOT
|
|
|
+include attachments or provide detail sufficient for exploitation regarding the
|
|
|
+security issue in this email. **Only provide such details in the advisory**.
|
|
|
+
|
|
|
+If you do not receive a response from <security@anza.xyz> please followup with
|
|
|
+the team directly. You can do this in one of the `#Dev Tooling` channels of the
|
|
|
+[Solana Tech discord server](https://solana.com/discord), by pinging the admins
|
|
|
+in the channel and referencing the fact that you submitted a security problem.
|
|
|
+
|
|
|
+## Security Bug Bounties
|
|
|
+
|
|
|
+The Solana Foundation offer bounties for critical security issues. Please
|
|
|
+see the [Agave Security Bug
|
|
|
+Bounties](https://github.com/anza-xyz/agave/security/policy#security-bug-bounties)
|
|
|
+for details on classes of bugs and payment amounts.
|
|
|
+
|
|
|
+## Scope
|
|
|
+
|
|
|
+Only the `spl-token` program is included in the bounty scope, at
|
|
|
+[program](https://github.com/solana-program/token/tree/master/program).
|
|
|
+
|
|
|
+If you discover a critical security issue in an out-of-scope component, your finding
|
|
|
+may still be valuable.
|
Jon C