v1.0.1 — Honest-provenance correction

Released within hours of v1.0.0. Corrects bounty attributions for SOL-002, SOL-003, SOL-004, SOL-005 after Anatoly Yakovenko's triage of percolator-cli#78 clarified which findings translated to paid bounties.

What changed

• SOL-001 now cites TWO bounty wins (same class, both maintainer-acknowledged via Lean theorem-prover models):
  • ACTIVATE branch: percolator-prog#107, fixed in 6512fa1
  • RETIRE branch: percolator-cli#78 F33, fixed in 3fd9b1d
• SOL-002 reframed: the cross-market pnl_pos_bound_tot class was publicly disclosed at percolator-prog#104 by another researcher. Not our bounty.
• SOL-003 reframed: F1 was independently fixed in 0925ed4 before our submission was triaged. Real pattern, no paid bounty.
• SOL-004 reframed: F2 classified as engine-side by maintainer; separate disclosure pending at aeyakovenko/percolator.
• SOL-005 reframed: F12 classified as latent (reachable only when 14-asset cap is lifted).

Why this matters

v1.0.0's framing implicitly claimed bounty credit for findings that didn't translate to paid bounties. The bug-class rules themselves are unchanged — every one is a real Solana attack surface worth flagging — but provenance now matches what's actually paid + maintainer-confirmed. Honesty over inflated credentials.

See CHANGELOG.md for the full per-rule diff.

Install in 30 seconds

mkdir -p .claude &&   curl -sL https://raw.githubusercontent.com/Copenhagen0x/solana-security-guidance/v1.0.1/claude-security-guidance.md -o .claude/claude-security-guidance.md &&   curl -sL https://raw.githubusercontent.com/Copenhagen0x/solana-security-guidance/v1.0.1/security-patterns.yaml -o .claude/security-patterns.yaml

Maintained by Jelleo.