|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Reporting security problems |
| 4 | + |
| 5 | +**DO NOT CREATE A GITHUB ISSUE** to report a security problem. |
| 6 | + |
| 7 | +Instead please use this [Report a Vulnerability](https://github.com/solana-program/memo/security/advisories/new) link. |
| 8 | +Provide a helpful title and detailed description of the problem. |
| 9 | + |
| 10 | +If you haven't done so already, please **enable two-factor auth** in your GitHub account. |
| 11 | + |
| 12 | +Expect a response as fast as possible in the advisory, typically within 72 hours. |
| 13 | + |
| 14 | +-- |
| 15 | + |
| 16 | +If you do not receive a response in the advisory, send an email to |
| 17 | +<[email protected]> with the full URL of the advisory you have created. DO NOT |
| 18 | +include attachments or provide detail sufficient for exploitation regarding the |
| 19 | +security issue in this email. **Only provide such details in the advisory**. |
| 20 | + |
| 21 | +If you do not receive a response from <[email protected]> please followup with |
| 22 | +the team directly. You can do this in one of the `#Dev Tooling` channels of the |
| 23 | +[Solana Tech discord server](https://solana.com/discord), by pinging the admins |
| 24 | +in the channel and referencing the fact that you submitted a security problem. |
| 25 | + |
| 26 | +## Security Bug Bounties |
| 27 | + |
| 28 | +The Solana Foundation offer bounties for critical security issues. Please |
| 29 | +see the [Agave Security Bug |
| 30 | +Bounties](https://github.com/anza-xyz/agave/security/policy#security-bug-bounties) |
| 31 | +for details on classes of bugs and payment amounts. |
| 32 | + |
| 33 | +## Scope |
| 34 | + |
| 35 | +Only the `spl-memo` program is included in the bounty scope, at |
| 36 | +[program](https://github.com/solana-program/memo/tree/master/program). |
| 37 | + |
| 38 | +If you discover a critical security issue in an out-of-scope component, your finding |
| 39 | +may still be valuable. |
0 commit comments