From e9e46ff5211cb05cbe8ee0013bd191e9f290cb9f Mon Sep 17 00:00:00 2001
From: Trent Nelson <trent@solana.com>
Date: Tue, 30 Mar 2021 22:19:50 -0600
Subject: [PATCH] security policy: Add out-of-scope section

---
 SECURITY.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
index ce4783b56a..083c4255d6 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -42,6 +42,14 @@ RPC DoS/Crashes:
 $5,000 USD in locked SOL tokens (locked for 12 months)
 * RPC attacks
 
+Out of Scope:
+The following components are out of scope for the bounty program
+* Metrics: `/metrics` in the monorepo as well as https://metrics.solana.com
+* Explorer: `/explorer` in the monorepo as well as https://explorer.solana.com
+* Any credentials, auth tokens, etc. checked into the repo
+* Bugs in dependencies. Please take them upstream!
+* Attacks that require social engineering
+
 Eligibility:
 * The participant submitting the bug bounty shall follow the process outlined within this document
 * Valid exploits can be eligible even if they are not successfully executed on the cluster