From bdf994dd2e406f4cdcc8ec7d383e3e89b02254ca Mon Sep 17 00:00:00 2001
From: Faye Amacker <33205765+fxamacker@users.noreply.github.com>
Date: Wed, 21 Jan 2026 19:48:39 -0600
Subject: [PATCH 1/2] Add "Flow Rewards" section to SECURITY.md

This commit adds a "Flow Rewards" section to SECURITY.md with some text (paraphrased from Jan's ideas) that might reduce security-related noise while still encouraging valid security reports.
---
 SECURITY.md | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index ac3fd9a..859a03b 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -14,8 +14,14 @@ Additionally, please include the following in the security report:
 
 - the name and version of the AI, scanner, etc. that detected the issue (this can help us handle reports generated by buggy tools more efficiently)
 
-- list of affected architectures (Atree is only officially supported on 64-bit)
+- list of affected platforms (Atree is only officially supported on 64-bit architectures)
 
-- version of [Flow Emulator](https://github.com/onflow/flow-emulator) used to check the reported issue (issue might be prevented by Flow components that set or enforce limits on Atree)
+- version of the unmodified [Flow Emulator](https://github.com/onflow/flow-emulator) used to check the reported issue (issue might be prevented by Flow components that set or enforce limits on Atree)
 
 Before submitting a security report, please review your source code included in the report. For example, please make sure the reported panic isn't caused by an overlooked mistake in the report's test code.
+
+# Flow Rewards
+
+To qualify for a Flow protocol reward, the vulnerability reproducer should use unmodified version of flow-emulator on Flow localnet.  If modifying the source code of any Flow component is necessary to reproduce the vulnerability, please describe each modification and why the vulnerability cannot be reproduced without modifying Flow components.
+
+Security reports should not evaluate Atree as a standalone component, because Atree relies on some limits and security guarantees provided by other components in Flow (such as `onflow/cadence` and `onflow/flow-go`).  Before submitting a report, please try to reproduce the vulnerability using a Cadence script running on unmodified flow-emulator.

From 3e9465029ea79c8c67e04ef82367937f0eed5945 Mon Sep 17 00:00:00 2001
From: Faye Amacker <33205765+fxamacker@users.noreply.github.com>
Date: Thu, 22 Jan 2026 10:00:51 -0600
Subject: [PATCH 2/2] Replace text that is moved to vulnerability disclosure
 program

The first paragraph under "Flow Rewards" section is moved to the vulnerability disclosure program by Jan, so we don't have to keep that requirement in this document.

This commit replaces the specific requirement with the more general statement:

"Security reports that follow the guidelines and meet other conditions of the vulnerability disclosure program might qualify for Flow Protocol Rewards."
---
 SECURITY.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/SECURITY.md b/SECURITY.md
index 859a03b..79a1a6e 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -16,12 +16,14 @@ Additionally, please include the following in the security report:
 
 - list of affected platforms (Atree is only officially supported on 64-bit architectures)
 
+- list of changes to the source code of Flow components (generally, the vulnerability reproducer shouldn't require modifying Flow source code)
+
 - version of the unmodified [Flow Emulator](https://github.com/onflow/flow-emulator) used to check the reported issue (issue might be prevented by Flow components that set or enforce limits on Atree)
 
 Before submitting a security report, please review your source code included in the report. For example, please make sure the reported panic isn't caused by an overlooked mistake in the report's test code.
 
 # Flow Rewards
 
-To qualify for a Flow protocol reward, the vulnerability reproducer should use unmodified version of flow-emulator on Flow localnet.  If modifying the source code of any Flow component is necessary to reproduce the vulnerability, please describe each modification and why the vulnerability cannot be reproduced without modifying Flow components.
+Security reports that follow the guidelines and meet other conditions of the vulnerability disclosure program might qualify for Flow Protocol Rewards.
 
 Security reports should not evaluate Atree as a standalone component, because Atree relies on some limits and security guarantees provided by other components in Flow (such as `onflow/cadence` and `onflow/flow-go`).  Before submitting a report, please try to reproduce the vulnerability using a Cadence script running on unmodified flow-emulator.