From 8b307ed409fbdbbb41a50d0c720571c36fb5752b Mon Sep 17 00:00:00 2001
From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com>
Date: Wed, 31 Mar 2021 04:49:17 +0000
Subject: [PATCH] security policy: Add out-of-scope section (bp #16249)
 (#16251)

* security policy: Add out-of-scope section

(cherry picked from commit e9e46ff5211cb05cbe8ee0013bd191e9f290cb9f)

* Update SECURITY.md

Co-authored-by: Michael Vines <mvines@gmail.com>
(cherry picked from commit 700ebde47417f4c40959fdf8a606347de21ef458)

Co-authored-by: Trent Nelson <trent@solana.com>
---
 SECURITY.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
index ce4783b56a..ee9df8d7b6 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -42,6 +42,14 @@ RPC DoS/Crashes:
 $5,000 USD in locked SOL tokens (locked for 12 months)
 * RPC attacks
 
+Out of Scope:
+The following components are out of scope for the bounty program
+* Metrics: `/metrics` in the monorepo as well as https://metrics.solana.com
+* Explorer: `/explorer` in the monorepo as well as https://explorer.solana.com
+* Any encrypted credentials, auth tokens, etc. checked into the repo
+* Bugs in dependencies. Please take them upstream!
+* Attacks that require social engineering
+
 Eligibility:
 * The participant submitting the bug bounty shall follow the process outlined within this document
 * Valid exploits can be eligible even if they are not successfully executed on the cluster