We take the security of our projects seriously. To ensure vulnerabilities are handled securely, please do not report security issues through public GitHub issues.
Instead, please use GitHub's private vulnerability reporting feature.
- For vulnerabilities in the
zk-sdk, report them via the Agave repository: - For all other components in this repository, use the following link:
When reporting, please provide a clear title and a detailed description of the issue. To protect your account, we also recommend enabling two-factor authentication on GitHub. You can typically expect an initial response to your advisory within 72 hours.
--
If you do not receive a response in the advisory, send an email to [email protected] with the full URL of the advisory you have created. DO NOT include attachments or provide detail sufficient for exploitation regarding the security issue in this email. Only provide such details in the advisory.
If you do not receive a response from [email protected] please followup with
the team directly. You can do this in one of the #Dev Tooling channels of the
Solana Tech discord server, by pinging the admins
in the channel and referencing the fact that you submitted a security problem.
The Solana Foundation offers bounties for critical security issues. Please see the Agave Security Bug Bounties for details on classes of bugs and payment amounts.
For the purposes of the bug bounty program, only vulnerabilities in the
zk-sdk that affect the agave validator client are considered in scope.
We still encourage the responsible disclosure of vulnerabilities found in other components of this repository, even if they do not qualify for a bounty.