Man0s/security policy (#150)

* add security policy * add security.txt to program * chore: remove unclear example of invalid bounty
mrgnlabs · Jan 4, 2024 · e3b2f7b · e3b2f7b
1 parent 14fac27
commit e3b2f7b
Show file tree

Hide file tree

Showing 5 changed files with 61 additions and 1 deletion.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,38 @@
+# Important Notice
+**DO NOT CREATE A GITHUB ISSUE** to report a security problem. Instead, please send an email to [email protected] with a detailed description of the attack vector and security risk you have identified.
+
+# Bug Bounty Overview
+marginfi offers bug bounties for marginfi's on-chain program code. UI-only bugs are omitted.
+
+|Severity|Bounty|
+|-----------|-------------|
+|Critical|10% of the value of the hack, up to $500,000|
+|High|$10,000 to $50,000 per bug, assessed on a case by case basis|
+|Medium/Low|$1,000 to $5,000 per bug, assessed on a case by case basis|
+
+
+The severity scale is based on [Immunefi's classification system](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). 
+Note that these are simply guidelines for the severity of the bugs. Each bug bounty submission will be evaluated on a case-by-case basis.
+
+## Submission
+Please email [email protected] with a detailed description of the attack vector.
+
+For critical- and high-severity bugs, we require a proof of concept reproducible on a privately deployed mainnet contract (**NOT** our official deployment).
+
+You should expect a reply within 1 business day with additional questions or next steps regarding the bug bounty.
+
+## Bug Bounty Payment
+Bug bounties will be paid in USDC or equivalent.
+
+## Invalid Bug Bounties
+A number of attacks are out of scope for the bug bounty, including but not limited to:
+1. Attacks that the reporter has already exploited themselves, leading to damage.
+2. Attacks requiring access to leaked keys/credentials.
+3. Attacks requiring access to privileged addresses (governance, admin).
+4. Incorrect data supplied by third party oracles (this does not exclude oracle manipulation/flash loan attacks).
+5. Lack of liquidity.
+6. Third party, off-chain bot errors (for instance bugs with an arbitrage bot running on the smart contracts).
+7. Best practice critiques.
+8. Sybil attacks.
+9. Attempted phishing or other social engineering attacks involving marginfi contributors or users
+10. Denial of service, or automated testing of services that generate significant traffic.
diff --git a/programs/marginfi/Cargo.toml b/programs/marginfi/Cargo.toml
@@ -37,6 +37,7 @@ solana-program = { workspace = true }
 static_assertions = "1.1.0"
 switchboard-v2 = "=0.1.22"
 type-layout = "0.2.0"
+solana-security-txt = "1.1.1"
 
 [dev-dependencies]
 anyhow = "1.0.66"

diff --git a/programs/marginfi/src/lib.rs b/programs/marginfi/src/lib.rs
@@ -178,3 +178,15 @@ pub mod marginfi {
         marginfi_group::unset_account_flag(ctx, flag)
     }
 }
+
+#[cfg(not(feature = "no-entrypoint"))]
+use solana_security_txt::security_txt;
+#[cfg(not(feature = "no-entrypoint"))]
+security_txt! {
+    name: "marginfi v2",
+    project_url: "https://app.marginfi.com/",
+    contacts: "email:[email protected]",
+    policy: "https://github.com/mrgnlabs/marginfi-v2/blob/main/SECURITY.md",
+    preferred_languages: "en",
+    source_code: "https://github.com/mrgnlabs/marginfi-v2"
+}
diff --git a/programs/marginfi/src/state/marginfi_group.rs b/programs/marginfi/src/state/marginfi_group.rs
@@ -21,8 +21,10 @@ use anchor_lang::prelude::*;
 use anchor_spl::token::{transfer, Transfer};
 use fixed::types::I80F48;
 use pyth_sdk_solana::{load_price_feed_from_account_info, PriceFeed};
+#[cfg(feature = "client")]
+use std::fmt::Display;
 use std::{
-    fmt::{Debug, Display, Formatter},
+    fmt::{Debug, Formatter},
     ops::Not,
 };