DO NOT CREATE A GITHUB ISSUE to report a security problem.

Instead please use this Report a Vulnerability link. Provide a helpful title and detailed description of the problem.

If you haven't done so already, please enable two-factor auth in your GitHub account.

Expect a response as fast as possible in the advisory, typically within 72 hours.

--

If you do not receive a response in the advisory, send an email to [email protected] with the full URL of the advisory you have created. DO NOT include attachments or provide detail sufficient for exploitation regarding the security issue in this email. Only provide such details in the advisory.

If you do not receive a response from [email protected] please followup with the team directly. You can do this in one of the #Dev Tooling channels of the Solana Tech discord server, by pinging the admins in the channel and referencing the fact that you submitted a security problem.

The Solana Foundation offer bounties for critical security issues. Please see the Agave Security Bug Bounties for details on classes of bugs and payment amounts.

Only the spl-token-2022 program is included in the bounty scope, at program.

If you discover a critical security issue in an out-of-scope component, your finding may still be valuable.