security.txt
This library defines a macro, whose aim it is to provide easy-to-parse information to security researchers that wish to contact the authors of a Solana smart contract. It is inspired by https://securitytxt.org/.
Example
security_txt!
Format
All values need to be string literals that may not contain nullbytes.
Naive parsers may fail if the binary contains one of the security.txt delimiters anywhere else
(=======BEGIN SECURITY.TXT V1=======\0
and =======END SECURITY.TXT V1=======\0
).
The following fields are supported, some of which are required for this to be considered a valid security.txt:
name
(required): The name of the project.project_url
(required): A URL to the project's homepage/dapp.source_code
(optional): A URL to the project's source code.expiry
(optional): The date the security.txt will expire. The format is YYYY-MM-DD.preferred_languages
(required): A comma-separated list of preferred languages.contacts
(required): A comma-separated list of contact information in the format<contact type>:<contact information>
. Possible contact types areemail
,discord
,telegram
,twitter
,link
andother
.auditors
(optional): A comma-separated list of people or entities that audited this smart contract. Note that this field is self-reported by the author of the program and might not be acurate.encryption
(optional): A PGP public key block (or similar) or a link to oneacknowledgements
(optional): Either a link or a text document containing acknowledgements to security researchers that have found vulnerabilities in the project in the past.policy
(required): Either a link or a text document describing the project's security policy. This should describe what kind of bounties your project offers and the terms under which you offer them.
How it works
The macro inserts a &str
into the .security.txt
section of the resulting ELF. Because of how Rust strings work, this is a tuple of a pointer to the actual string and the length.
The string the macro builds begins with the start marker =======BEGIN SECURITY.TXT V1=======\0
, and ends with the end marker =======END SECURITY.TXT V1=======\0
. In between is a list of an even amount of strings, delimited by nullbytes. Every two strings form a key-value-pair.