About Solana

Solana’s is a high-performance blockchain protocol with a goal to provide developers a way of developing real-world, mission-critical applications in a censorship-resistant, open web.

We’re primarily a team of ex-Qualcomm engineers who spent most of our careers in distributed systems and wireless networks and we geek out on shaving milliseconds off-network confirmation times and benchmarking the latest hardware.

One of the core features of the protocol is smart contracts that allow for the automated execution of instructions without third parties based on a globally agreed set of trusted data that is publicly verifiable.

This is an extremely powerful feature, which we believe can add a significant amount of value, and empower developers to create disruptive applications that we can only begin to imagine.

However, to enable this in the real world it needs to be scalable. Therefore we made a design choice to execute the smart contracts engine using Berkeley Packet Filter, which is designed to parallelize execution in as many cores as the system can provide. The logic is based on how operating systems load and execute dynamic code in the kernel. And of course, the entire system is written in Rust, that is both the engine and smart contracts themselves (however we do support other languages such as C).

If that’s something that sounds interesting to you. We’d love to invite you to participate in our Bug Bounty program.

Getting Started

Our Github - Solana has been completely open-source from inception. You’ll find all of our code within this repository within
Rust VM for eBPF - This crate contains a virtual machine for eBPF program execution
Our Web3 SDK - This is the Solana Javascript API built on the Solana node RPC
Solana Technical Documentation - These explain why Solana is useful, how to use it, how it works, and why it will continue to work long in the decades to come
Solana Node RPC

Examples to Dive Right In:

Hello World on Solana - A good example to base your hacking on. Provides a simple demonstration on how to use the Solana Javascript API to build, deploy and interact with an on-chain program
Building a Simple ERC20-Like Token on Solana - This is a quick example demonstrating how you would use the Solana Javascript API to build, deploy, and interact with an ERC20-like Token example on-chain program.

Program Scope

• Crash the runtime or cripple the network
• Buffer/integer overflow/underflows
• Breach the virtual machine sandbox
• Exploit BPF helper/trap functions (logging, allocation, cross-program invocations, etc..) to produce non-deterministic results
• Double/invalid spends
• Exploit accounts (non-owned modifications, data size increase, etc..)
• Tweak or break global inflation
• Change inflation reward distribution (validator rewards)
• Steal inflation rewards

Out of Scope Vulnerabilities

Please note that only the solana, solana-program-library, and example- helloworld Github repos and their libraries are in scope for this bounty.

All other associated websites and services are out of scope, including but not limited to:

• https://www.solana.com/
• https://break.solana.com/
• https://explorer.solana.com/
• https://metrics.solana.com/

• https://forums.solana.com/

• In the Github repos:

  • Secure/Encrypted API/Authority keys and tokens checked into Github
  • /metrics
  • /explorer
  • Scanner-generated reports and “Advisory” or “Informational” reports that do not include any Solana-specific testing or context

• Clickjacking

• Issues with a social engineering component

Though bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, Discord) should be disclosed directly to those services.

Rewards

Bounty rewards are based on many factors including impact, risk, the likelihood of exploitation, and report quality. Rewards for bugs will be classified into these categories for payout:

• Critical— $2,500 and up
• High— $1,000 and up
• Medium— $500 and up
• Low— up to $100

While there is no maximum program reward, we value creative or severe bugs and we will reward them accordingly. Solana will evaluate each report and is responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.

If we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. Once resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated.

Disclosure Policy

• As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
• Follow HackerOne's disclosure guidelines .

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Solana and our users safe!