From 4bc85ecae29fdbab9e98735568ffcc4b83d38906 Mon Sep 17 00:00:00 2001
From: samkim-crypto <skim13@cs.stanford.edu>
Date: Thu, 27 Mar 2025 09:38:36 +0900
Subject: [PATCH 1/6] add security-txt to program

---
 Cargo.lock                |  7 +++++++
 program/Cargo.toml        |  1 +
 program/src/entrypoint.rs | 12 ++++++++++++
 3 files changed, 20 insertions(+)

diff --git a/Cargo.lock b/Cargo.lock
index 4de53eb..ce6c313 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -5629,6 +5629,12 @@ dependencies = [
  "solana-sdk-ids",
 ]
 
+[[package]]
+name = "solana-security-txt"
+version = "1.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "468aa43b7edb1f9b7b7b686d5c3aeb6630dc1708e86e31343499dd5c4d775183"
+
 [[package]]
 name = "solana-seed-derivable"
 version = "2.2.1"
@@ -6522,6 +6528,7 @@ dependencies = [
  "solana-pubkey",
  "solana-rent",
  "solana-sdk",
+ "solana-security-txt",
  "thiserror 2.0.12",
 ]
 
diff --git a/program/Cargo.toml b/program/Cargo.toml
index 29d29fc..fe1d63b 100644
--- a/program/Cargo.toml
+++ b/program/Cargo.toml
@@ -24,6 +24,7 @@ solana-program-error = "2.2.1"
 solana-program-pack = "2.2.1"
 solana-pubkey = { version = "2.2.1", features = ["bytemuck"] }
 solana-rent = "2.2.1"
+solana-security-txt = "1.1.1"
 thiserror = "2.0.12"
 
 [dev-dependencies]
diff --git a/program/src/entrypoint.rs b/program/src/entrypoint.rs
index f52b183..df40aeb 100644
--- a/program/src/entrypoint.rs
+++ b/program/src/entrypoint.rs
@@ -14,3 +14,15 @@ fn process_instruction(
 ) -> ProgramResult {
     crate::processor::process_instruction(program_id, accounts, instruction_data)
 }
+
+security_txt! {
+    // Required fields
+    name: "SPL Record",
+    project_url: "https://solana-program.com/record",
+    contacts: "link:https://github.com/solana-program/record/security/advisories/new,mailto:security@anza.xyz,discord:https://solana.com/discord",
+    policy: "https://github.com/solana-program/record/blob/master/SECURITY.md",
+
+    // Optional Fields
+    preferred_languages: "en",
+    source_code: "https://github.com/solana-program/record/tree/master/program",
+}

From 611829e64214a910a7ef706dea6c22087ccc75cd Mon Sep 17 00:00:00 2001
From: samkim-crypto <skim13@cs.stanford.edu>
Date: Thu, 27 Mar 2025 09:51:54 +0900
Subject: [PATCH 2/6] add `SECURITY.md` verbatim from spl

---
 SECURITY.md | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 76 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..7e91c71
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,76 @@
+# Security Policy
+
+1. [Reporting security problems](#reporting)
+1. [Security Bug Bounties](#bounty)
+1. [Scope](#scope)
+1. [Incident Response Process](#process)
+
+<a name="reporting"></a>
+
+## Reporting security problems in the Solana Program Library
+
+**DO NOT CREATE A GITHUB ISSUE** to report a security problem.
+
+Instead please use this [Report a Vulnerability](https://github.com/solana-labs/solana-program-library/security/advisories/new) link.
+Provide a helpful title and detailed description of the problem.
+
+If you haven't done so already, please **enable two-factor auth** in your GitHub account.
+
+Expect a response as fast as possible in the advisory, typically within 72 hours.
+
+--
+
+If you do not receive a response in the advisory, send an email to
+security@solana.com with the full URL of the advisory you have created. DO NOT
+include attachments or provide detail sufficient for exploitation regarding the
+security issue in this email. **Only provide such details in the advisory**.
+
+If you do not receive a response from security@solana.com please followup with
+the team directly. You can do this in the `#core-technology` channel of the
+[Solana Tech discord server](https://solana.com/discord), by pinging the admins
+in the channel and referencing the fact that you submitted a security problem.
+
+<a name="bounty"></a>
+
+## Security Bug Bounties
+
+The Solana Foundation offer bounties for critical Solana security issues. Please
+see the [Solana Security Bug
+Bounties](https://github.com/solana-labs/solana/security/policy#security-bug-bounties)
+for details on classes of bugs and payment amounts.
+
+<a name="scope"></a>
+
+## Scope
+
+Only a subset of programs within the Solana Program Library repo are deployed to
+the Solana Mainnet Beta. Currently, this includes:
+
+- [associated-token-account](https://github.com/solana-labs/solana-program-library/tree/master/associated-token-account/program)
+- [feature-proposal](https://github.com/solana-labs/solana-program-library/tree/master/feature-proposal/program)
+- [governance](https://github.com/solana-labs/solana-program-library/tree/master/governance/program)
+- [memo](https://github.com/solana-labs/solana-program-library/tree/master/memo/program)
+- [name-service](https://github.com/solana-labs/solana-program-library/tree/master/name-service/program)
+- [stake-pool](https://github.com/solana-labs/solana-program-library/tree/master/stake-pool/program)
+- [token](https://github.com/solana-labs/solana-program-library/tree/master/token/program)
+- [token-2022](https://github.com/solana-labs/solana-program-library/tree/master/token/program-2022)
+
+If you discover a critical security issue in an out-of-scope program, your finding
+may still be valuable.
+
+Many programs, including
+[token-swap](https://github.com/solana-labs/solana-program-library/tree/master/token-swap/program)
+and [token-lending](https://github.com/solana-labs/solana-program-library/tree/master/token-lending/program),
+have been forked and deployed by prominent ecosystem projects, many of which
+have their own bug bounty programs.
+
+While we cannot guarantee a bounty from another entity, we can help determine who
+may be affected and put you in touch with the corresponding teams.
+
+<a name="process"></a>
+
+## Incident Response Process
+
+In case an incident is discovered or reported, the
+[Solana Security Incident Response Process](https://github.com/solana-labs/solana/security/policy#incident-response-process)
+will be followed to contain, respond and remediate.

From 2baee09f40dbce1537a86d222f68172243124da9 Mon Sep 17 00:00:00 2001
From: samkim-crypto <skim13@cs.stanford.edu>
Date: Thu, 27 Mar 2025 10:04:13 +0900
Subject: [PATCH 3/6] update `SECURITY.md`

---
 SECURITY.md | 62 +++++------------------------------------------------
 1 file changed, 5 insertions(+), 57 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 7e91c71..06fb278 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,17 +1,10 @@
 # Security Policy
 
-1. [Reporting security problems](#reporting)
-1. [Security Bug Bounties](#bounty)
-1. [Scope](#scope)
-1. [Incident Response Process](#process)
-
-<a name="reporting"></a>
-
-## Reporting security problems in the Solana Program Library
+## Reporting security problems
 
 **DO NOT CREATE A GITHUB ISSUE** to report a security problem.
 
-Instead please use this [Report a Vulnerability](https://github.com/solana-labs/solana-program-library/security/advisories/new) link.
+Instead please use this [Report a Vulnerability](https://github.com/solana-program/record/security/advisories/new) link.
 Provide a helpful title and detailed description of the problem.
 
 If you haven't done so already, please **enable two-factor auth** in your GitHub account.
@@ -21,56 +14,11 @@ Expect a response as fast as possible in the advisory, typically within 72 hours
 --
 
 If you do not receive a response in the advisory, send an email to
-security@solana.com with the full URL of the advisory you have created. DO NOT
+<security@solana.com> with the full URL of the advisory you have created. DO NOT
 include attachments or provide detail sufficient for exploitation regarding the
 security issue in this email. **Only provide such details in the advisory**.
 
-If you do not receive a response from security@solana.com please followup with
-the team directly. You can do this in the `#core-technology` channel of the
+If you do not receive a response from <security@solana.com> please followup with
+the team directly. You can do this in one of the `#Dev Tooling` channels of the
 [Solana Tech discord server](https://solana.com/discord), by pinging the admins
 in the channel and referencing the fact that you submitted a security problem.
-
-<a name="bounty"></a>
-
-## Security Bug Bounties
-
-The Solana Foundation offer bounties for critical Solana security issues. Please
-see the [Solana Security Bug
-Bounties](https://github.com/solana-labs/solana/security/policy#security-bug-bounties)
-for details on classes of bugs and payment amounts.
-
-<a name="scope"></a>
-
-## Scope
-
-Only a subset of programs within the Solana Program Library repo are deployed to
-the Solana Mainnet Beta. Currently, this includes:
-
-- [associated-token-account](https://github.com/solana-labs/solana-program-library/tree/master/associated-token-account/program)
-- [feature-proposal](https://github.com/solana-labs/solana-program-library/tree/master/feature-proposal/program)
-- [governance](https://github.com/solana-labs/solana-program-library/tree/master/governance/program)
-- [memo](https://github.com/solana-labs/solana-program-library/tree/master/memo/program)
-- [name-service](https://github.com/solana-labs/solana-program-library/tree/master/name-service/program)
-- [stake-pool](https://github.com/solana-labs/solana-program-library/tree/master/stake-pool/program)
-- [token](https://github.com/solana-labs/solana-program-library/tree/master/token/program)
-- [token-2022](https://github.com/solana-labs/solana-program-library/tree/master/token/program-2022)
-
-If you discover a critical security issue in an out-of-scope program, your finding
-may still be valuable.
-
-Many programs, including
-[token-swap](https://github.com/solana-labs/solana-program-library/tree/master/token-swap/program)
-and [token-lending](https://github.com/solana-labs/solana-program-library/tree/master/token-lending/program),
-have been forked and deployed by prominent ecosystem projects, many of which
-have their own bug bounty programs.
-
-While we cannot guarantee a bounty from another entity, we can help determine who
-may be affected and put you in touch with the corresponding teams.
-
-<a name="process"></a>
-
-## Incident Response Process
-
-In case an incident is discovered or reported, the
-[Solana Security Incident Response Process](https://github.com/solana-labs/solana/security/policy#incident-response-process)
-will be followed to contain, respond and remediate.

From 139d4216c57e8ded3d3ba9f2fe27761d9c3bd839 Mon Sep 17 00:00:00 2001
From: samkim-crypto <skim13@cs.stanford.edu>
Date: Thu, 27 Mar 2025 12:20:07 +0900
Subject: [PATCH 4/6] add security-txt import

---
 program/src/entrypoint.rs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/program/src/entrypoint.rs b/program/src/entrypoint.rs
index df40aeb..eb7f5f7 100644
--- a/program/src/entrypoint.rs
+++ b/program/src/entrypoint.rs
@@ -4,6 +4,7 @@
 
 use {
     solana_account_info::AccountInfo, solana_program_error::ProgramResult, solana_pubkey::Pubkey,
+    solana_security_txt::security_txt,
 };
 
 solana_program_entrypoint::entrypoint!(process_instruction);

From ec4452f8ba8af1e8b84fe0d059047cdd0d2137d2 Mon Sep 17 00:00:00 2001
From: samkim-crypto <skim13@cs.stanford.edu>
Date: Thu, 27 Mar 2025 12:33:55 +0900
Subject: [PATCH 5/6] fix delimeter

---
 program/src/entrypoint.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/program/src/entrypoint.rs b/program/src/entrypoint.rs
index eb7f5f7..ede4189 100644
--- a/program/src/entrypoint.rs
+++ b/program/src/entrypoint.rs
@@ -25,5 +25,5 @@ security_txt! {
 
     // Optional Fields
     preferred_languages: "en",
-    source_code: "https://github.com/solana-program/record/tree/master/program",
+    source_code: "https://github.com/solana-program/record/tree/master/program"
 }

From b2836627d656f93299f4f605b71bf8013238585e Mon Sep 17 00:00:00 2001
From: samkim-crypto <skim13@cs.stanford.edu>
Date: Thu, 27 Mar 2025 22:10:23 +0900
Subject: [PATCH 6/6] Apply suggestions from code review

Co-authored-by: Jon C <me@jonc.dev>
---
 SECURITY.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 06fb278..377011e 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -14,11 +14,11 @@ Expect a response as fast as possible in the advisory, typically within 72 hours
 --
 
 If you do not receive a response in the advisory, send an email to
-<security@solana.com> with the full URL of the advisory you have created. DO NOT
+<security@anza.xyz> with the full URL of the advisory you have created. DO NOT
 include attachments or provide detail sufficient for exploitation regarding the
 security issue in this email. **Only provide such details in the advisory**.
 
-If you do not receive a response from <security@solana.com> please followup with
+If you do not receive a response from <security@anza.xyz> please followup with
 the team directly. You can do this in one of the `#Dev Tooling` channels of the
 [Solana Tech discord server](https://solana.com/discord), by pinging the admins
 in the channel and referencing the fact that you submitted a security problem.