-
Notifications
You must be signed in to change notification settings - Fork 1.9k
chore: Update security advisory info #3906
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
jacobcreech
merged 4 commits into
solana-foundation:master
from
jacobcreech:security_adv
Sep 27, 2025
Merged
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,67 +1,327 @@ | ||
| # Security Policy | ||
|
|
||
| 1. [Reporting security problems](#reporting) | ||
| 2. [Incident Response Process](#process) | ||
| 1. [Reporting security | ||
| problems](#reporting) | ||
| 4. [Security Bug Bounties](#bounty) | ||
| 2. [Incident Response | ||
| Process](#process) | ||
|
|
||
| <a name="reporting"></a> | ||
| ## Reporting security problems in the <project_name> | ||
| ## Reporting security problems for | ||
| Anchor Lang | ||
|
|
||
| **DO NOT CREATE A GITHUB ISSUE** to report a security problem. | ||
| **DO NOT CREATE A GITHUB ISSUE** to | ||
| report a security problem. | ||
|
|
||
| Instead please email disclosures@solana.org. | ||
| Provide a helpful title, detailed description of the vulnerability and an exploit | ||
| proof-of-concept. Speculative submissions without proof-of-concept will be closed | ||
| Instead please email | ||
| anchor-security@solana.org. | ||
| Provide a helpful title, detailed | ||
| description of the vulnerability and an | ||
| exploit | ||
| proof-of-concept. Speculative | ||
| submissions without proof-of-concept | ||
| will be closed | ||
| with no further consideration. | ||
|
|
||
| If you haven't done so already, please | ||
| **enable two-factor auth** in your | ||
| GitHub account. | ||
|
|
||
| If you haven't done so already, please **enable two-factor auth** in your GitHub account. | ||
| Expect a response as fast as possible | ||
| in the advisory, typically within 72 | ||
| hours. | ||
|
|
||
| Expect a response as fast as possible in the advisory, typically within 72 hours. | ||
| As a general rule of thumb, we will | ||
| look to these questions to evaluate | ||
| eligibility: | ||
| 1. Does the bug affect multiple | ||
| contracts? Vulnerabilities don’t have | ||
| to affect multiple contracts, but a | ||
| more widespread bug is generally | ||
| indicative of a fundamental issue with | ||
| the library, as opposed to a mistake by | ||
| the developer | ||
| 2. Was the bug public knowledge | ||
| previously? This may mean that it’s a | ||
| vulnerability class for users of | ||
| Anchor, but not an issue within Anchor | ||
| itself | ||
| 3. How complicated is the bug to | ||
| trigger? The simpler and more plausible | ||
| the proof of concept, the more likely | ||
| it is to be a bug in the library | ||
|
|
||
| -- | ||
| Regardless, if you think you have an | ||
| issue, we’d like to hear about it. | ||
|
|
||
| If you do not receive a response in the advisory, send an email to | ||
| disclosures@solana.org with the full URL of the advisory you have created. DO NOT | ||
| include attachments or provide detail sufficient for exploitation regarding the | ||
| security issue in this email. **Only provide such details in the advisory**. | ||
| For bugs that affect production code, | ||
| we will pay up to $X according to the | ||
| following guidelines. This is exclusive | ||
| to any bounties claimed from the | ||
| protocol. In other words, reports can’t | ||
| double-dip. | ||
| - Critical: X. Bypass of fundamental | ||
jacobcreech marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| Anchor checks, such as account | ||
| ownership, discriminator, memory | ||
| safety, etc. | ||
| - Medium: X. Denial of service | ||
| - Low: X: All remaining issues | ||
|
|
||
|
|
||
| If you do not receive a response from disclosures@solana.org please followup with | ||
| the team on another platform like @solana_devs on X/twitter | ||
| --- | ||
|
|
||
| If you do not receive a response in the | ||
| advisory, send an email to | ||
| anchor-security@solana.org with the | ||
| full URL of the advisory you have | ||
| created. DO NOT | ||
| include attachments or provide detail | ||
| sufficient for exploitation regarding | ||
| the | ||
| security issue in this email. **Only | ||
| provide such details in the | ||
| advisory**. | ||
|
|
||
| <a name="process"></a> | ||
| ## Incident Response Process | ||
|
|
||
| In case an incident is discovered or reported, the following process will be | ||
| followed to contain, respond and remediate: | ||
| In case an incident is discovered or | ||
| reported, the following process will be | ||
| followed to contain, respond and | ||
| remediate: | ||
|
|
||
| ### 1. Accept the new report | ||
| In response a newly reported security problem, a member of the | ||
| `solana-foundation/admins` group will accept the report to turn it into a draft | ||
| advisory. The `solana-foundation/security-incident-response` group should be added to | ||
| the draft security advisory, and create a private fork of the repository (grey | ||
| button towards the bottom of the page) if necessary. | ||
| In response a newly reported security | ||
| problem, a member of the | ||
| `solana-foundation/admins` group will | ||
| accept the report to turn it into a | ||
| draft | ||
| advisory. The | ||
| `solana-foundation/anchor-security-incident-response` | ||
| group should be added to | ||
| the draft security advisory, and create | ||
| a private fork of the repository (grey | ||
| button towards the bottom of the page) | ||
| if necessary. | ||
|
|
||
| If the advisory is the result of an audit finding, follow the same process as above but add the auditor's github user(s) and begin the title with "[Audit]". | ||
| If the advisory is the result of an | ||
| audit finding, follow the same process | ||
| as above but add the auditor's github | ||
| user(s) and begin the title with | ||
| "[Audit]". | ||
|
|
||
| If the report is out of scope, a member of the `solana-foundation/admins` group will | ||
| comment as such and then close the report. | ||
| If the report is out of scope, a member | ||
| of the `solana-foundation/admins` group | ||
| will | ||
| comment as such and then close the | ||
| report. | ||
|
|
||
| ### 2. Triage | ||
| Within the draft security advisory, discuss and determine the severity of the issue. If necessary, members of the solana-foundation/security-incident-response group may add other github users to the advisory to assist. | ||
| If it is determined that this is not a critical network issue then the advisory should be closed and if more follow-up is required a normal Solana public github issue should be created. | ||
| Within the draft security advisory, | ||
| discuss and determine the severity of | ||
| the issue. If necessary, members of the | ||
| `solana-foundation/anchor-security-incident-response` | ||
| group may add other github users to the | ||
| advisory to assist. | ||
| If it is determined that this is not a | ||
| critical network issue then the | ||
jacobcreech marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| advisory should be closed and if more | ||
| follow-up is required a normal Solana | ||
| public github issue should be created. | ||
|
|
||
| ### 3. Prepare Fixes | ||
| For the affected branches, typically all three (edge, beta and stable), prepare a fix for the issue and push them to the corresponding branch in the private repository associated with the draft security advisory. | ||
| There is no CI available in the private repository so you must build from source and manually verify fixes. | ||
| Code review from the reporter is ideal, as well as from multiple members of the core development team. | ||
| For the affected branches, typically | ||
| all three (edge, beta and stable), | ||
| prepare a fix for the issue and push | ||
| them to the corresponding branch in the | ||
| private repository associated with the | ||
| draft security advisory. | ||
| There is no CI available in the private | ||
| repository so you must build from | ||
| source and manually verify fixes. | ||
| Code review from the reporter is ideal, | ||
| as well as from multiple members of the | ||
| core development team. | ||
|
|
||
| ### 4. Notify Security Group Validators | ||
| Once an ETA is available for the fix, a member of the solana-foundation/security-incident-response group should notify the validators so they can prepare for an update using the "Solana Red Alert" notification system. | ||
| The teams are all over the world and it's critical to provide actionable information at the right time. Don't be the person that wakes everybody up at 2am when a fix won't be available for hours. | ||
| ### 4. Notify Security Group | ||
| Once an ETA is available for the fix, a | ||
| member of the | ||
| `solana-foundation/anchor-security-incident-response` | ||
| group should notify major affected | ||
| parties. | ||
| The teams are all over the world and | ||
| it's critical to provide actionable | ||
| information at the right time. Don't be | ||
| the person that wakes everybody up at | ||
| 2am when a fix won't be available for | ||
| hours. | ||
|
|
||
| ### 5. Ship the patch | ||
| Once the fix is accepted it may be distributed directly to validators as a patch, depending on the vulnerability. | ||
| Once the fix is accepted it may be | ||
| distributed directly to develoers as a | ||
| patch, depending on the vulnerability. | ||
|
|
||
| ### 6. Public Disclosure and Release | ||
| Once the fix has been deployed to major | ||
| affected parties, the patches from the | ||
| security advisory may be merged into | ||
| the main source repository. A new | ||
| official release for each affected | ||
| branch should be shipped and all | ||
| parties requested to upgrade as quickly | ||
| as possible. | ||
|
|
||
| ### 7. Security Advisory Bounty | ||
jacobcreech marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| Accounting and Cleanup | ||
| If this issue is | ||
| [eligible](#eligibility) for a bounty, | ||
| prefix the title of the | ||
| security advisory with one of the | ||
| following, depending on the severity: | ||
|
|
||
| - [Bounty Category: | ||
| Critical](#critical): X. Bypass of | ||
| fundamental Anchor checks, such as | ||
| account ownership, discriminator, | ||
| memory safety, etc. | ||
| - [Bounty Category: Medium](#medium): | ||
| X. Denial of service | ||
| - [Bounty Category: Low](#low): X: All | ||
| remaining issues | ||
|
|
||
| Confirm with the reporter that they | ||
| agree with the severity assessment, and | ||
| discuss as required to reach a | ||
| conclusion. | ||
|
|
||
| We currently do not use the Github | ||
| workflow to publish security | ||
| advisories. Once the issue and fix have | ||
| been disclosed, and a bounty category | ||
| is assessed if appropriate, the GitHub | ||
| security advisory is no longer needed | ||
| and can be closed. | ||
|
|
||
| <a name="bounty"></a> | ||
| ## Security Bug Bounties | ||
jacobcreech marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| At its sole discretion, the Solana | ||
| Foundation may offer a bounty for | ||
| [valid reports](#reporting) of critical | ||
| Solana vulnerabilities. Please see | ||
| below | ||
| for more details. The submitter is not | ||
| required to provide a | ||
| mitigation to qualify. | ||
|
|
||
| #### IMPORTANT | PLEASE NOTE | ||
| _Note: Payments will continue to be | ||
| paid out in 12-month locked SOL._ | ||
|
|
||
| <a name="critical"></a> | ||
| #### Critical: | ||
| _Max: X SOL tokens. Min: Y SOL tokens_ | ||
|
|
||
| * Bypassing fundamental Anchor checks, | ||
| such as account ownership, | ||
| discriminator, memory safety, etc. | ||
|
|
||
| <a name="medium"></a> | ||
| #### Medium: | ||
| _Max: X SOL tokens. Min: Y SOL tokens_ | ||
|
|
||
| * Denial of service attacks | ||
|
|
||
| <a name="low"></a> | ||
| #### Low: | ||
| _Max: X SOL tokens. Min: Y SOL tokens_ | ||
|
|
||
| * All remaining issues | ||
|
|
||
| * Attacks to devex infrastructure | ||
|
|
||
| ### Out of Scope: | ||
| The following components are out of | ||
| scope for the bounty program | ||
| * Any encrypted credentials, auth | ||
| tokens, etc. checked into the repo | ||
| * Bugs in dependencies. Please take | ||
| them upstream! | ||
| * Attacks that require social | ||
| engineering | ||
| * Any undeveloped automated tooling | ||
| (scanners, etc) results. (OK with | ||
| developed PoC) | ||
| * Any asset whose source code does not | ||
| exist in this repository (including, | ||
| but not limited | ||
| to, any and all web properties not | ||
| explicitly listed on this page) | ||
|
|
||
| ### Eligibility: | ||
| * Anyone under a grant or the financial | ||
| arrangement with Solana Foundation to | ||
| develop or audit related tools is not | ||
| eligibile | ||
| * Submissions _MUST_ include an exploit | ||
| proof-of-concept to be considered | ||
| eligible | ||
| * The participant submitting the bug | ||
| report shall follow the process | ||
| outlined within this document | ||
| * Valid exploits can be eligible even | ||
| if they are not successfully executed | ||
| on a public cluster | ||
| * Multiple submissions for the same | ||
| class of exploit are still eligible for | ||
| compensation, though may be compensated | ||
| at a lower rate, however these will be | ||
| assessed on a case-by-case basis | ||
| * Participants must complete KYC and | ||
| sign the participation agreement here | ||
| when the registrations are open | ||
| https://solana.org/kyc. Security | ||
| exploits will still be assessed and | ||
| open for submission at all times. This | ||
| needs only be done prior to | ||
| distribution of tokens. | ||
|
|
||
| ### Duplicate Reports | ||
| Compensation for duplicative reports | ||
| will be split among reporters with | ||
| first to report taking priority using | ||
| the following equation | ||
| ``` | ||
| R: total reports | ||
| ri: report priority | ||
| bi: bounty share | ||
|
|
||
| We currently do not use the Github workflow to publish security advisories. Once the issue and fix have been disclosed, and a bounty category is assessed if appropriate, the GitHub security advisory is no longer needed and can be closed. | ||
| bi = 2 ^ (R - ri) / ((2^R) - 1) | ||
| ``` | ||
| #### Bounty Split Examples | ||
| | total reports | priority | share | | ||
| | ------------- | -------- | -----: | | ||
| | 1 | 1 | 100% | | ||
| | 2 | 1 | 66.67% | | ||
| | 2 | 2 | 33.33% | | ||
| | 3 | 1 | 57.14% | | ||
| | 3 | 2 | 28.57% | | ||
| | 3 | 3 | 14.29% | | ||
| | 4 | 1 | 53.33% | | ||
| | 4 | 2 | 26.67% | | ||
| | 4 | 3 | 13.33% | | ||
| | 4 | 4 | 6.67% | | ||
| | 5 | 1 | 51.61% | | ||
| | 5 | 2 | 25.81% | | ||
| | 5 | 3 | 12.90% | | ||
| | 5 | 4 | 6.45% | | ||
| | 5 | 5 | 3.23% | | ||
|
|
||
| ### Payment of Bug Bounties: | ||
| * Bounties are currently awarded on a | ||
| rolling/weekly basis and paid out | ||
| within 30 days upon receipt of an | ||
| invoice. | ||
| * Bug bounties that are paid out in SOL | ||
| are paid to stake accounts with a | ||
| lockup expiring 12 months from the date | ||
| of delivery of SOL. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.