aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2018-11-26 11:37:49 +0100
committerDaniel Stenberg <daniel@haxx.se>2018-11-30 22:50:36 +0100
commit4a01a20bdb2a6a3b855001543f3bc82edc8e5134 (patch)
tree01293c04b889b36e7f2b55d54b83ff5fc550b114
parent650281ed5ba335d16a932ccba53665551197880f (diff)
SECURITY-PROCESS: bountygraph shuts down
This backpedals back the documents to the state before bountygraph. Closes #3311
-rw-r--r--docs/BUG-BOUNTY.md76
-rw-r--r--docs/SECURITY-PROCESS.md22
2 files changed, 9 insertions, 89 deletions
diff --git a/docs/BUG-BOUNTY.md b/docs/BUG-BOUNTY.md
deleted file mode 100644
index 0c881b83f..000000000
--- a/docs/BUG-BOUNTY.md
+++ /dev/null
@@ -1,76 +0,0 @@
-# The curl bug bounty
-
- The curl project runs a bug bounty program in association with
- bountygraph.com.
-
- After you have reported a security issue to the curl project, it has been
- deemed credible and a patch and advisory has been made public you can be
- eligible for a bounty from this program.
-
- See all details at https://bountygraph.com/programs/curl
-
- This bounty is relying on funds from sponsors. If you use curl professionally,
- consider help funding this!
-
-## How much money is the bounty at
-
- The curl projects offer monetary compensation for reported and published
- security vulnerabilities. The amount of money that is rewarded depends on how
- serious the flaw is determined to be.
-
- We offer reward money *up to* the total amount of the fund. The curl security
- team determines the severity of each reported flaw on a case by case basis
- and the exact amount rewarded to the reporter is then decided by the sponsor.
-
-## Who's eligible for a reward
-
- Everyone and anyone who reports a security problem in a released curl version
- that hasn't already been reported can ask for a bounty.
-
- The vulnerability has to be fixed and publicly announced (by the curl
- project) before a bug bounty will be considered.
-
- Bounties need to be requested within twelve months from the publication of
- the vulnerability.
-
- The vulnerabilities must not have been made public before August 1st, 2018.
- We do not retroactively pay for old, already known and published security
- problems.
-
-## Product vulnerabilities only
-
- The bug bounty only concerns the curl and libcurl products and thus their
- respective source codes - when running on existing hardware. It does not
- include documentation, web sites or other infrastructure.
-
- The curl security team will be the sole arbiter if a reported flaw can be
- subject to a bounty or not.
-
-## How are vulnerabilities graded
-
- The grading of each reported vulnerability that makes a reward claim will be
- performed by the curl security team. The grading will be based on the CVSS
- (Common Vulnerability Scoring System) 3.0.
-
-## How are reward amounts determined
-
- The curl security team first gives the vulnerability a score, as mentioned
- above, and based on that level the sponsor sets the bounty amount depending
- on the specifics of the individual case.
-
- The bounty fund sponsor is the arbiter of the bounty amount.
-
-## What happens if the bounty fund is drained
-
- The bounty fund depends on sponsors. If we pay out more bounties than we add,
- the fund will eventually drain. If that end up happening, we will simply not
- be able to pay out as high bounties as we would like and hope that we can
- convince new sponsors to help us top up the fund again.
-
-## Regarding taxes etc on the bounties
-
- In the event that the individual receiving a curl bug bounty needs to pay
- taxes on the reward money, that's something for the receiver (and
- bountygraph.com?) to work out and handle. The curl project or its security
- team never actually receive any of this money, hold the money or pay out the
- money.
diff --git a/docs/SECURITY-PROCESS.md b/docs/SECURITY-PROCESS.md
index 9dd4cb77b..6cae5036b 100644
--- a/docs/SECURITY-PROCESS.md
+++ b/docs/SECURITY-PROCESS.md
@@ -121,19 +121,15 @@ Publishing Security Advisories
6. On security advisory release day, push the changes on the curl-www
repository's remote master branch.
-Bountygraph Bug Bounty
-----------------------
-
-The curl project runs a bug bounty program in association with
-bountygraph.com.
-
-After you have reported a security issue to the curl project, it has been
-deemed credible and a patch and advisory has been made public you can be
-eligible for a bounty from this program.
+Hackerone Internet Bug Bounty
+-----------------------------
-See all details at [BountyGraph](https://bountygraph.com/programs/curl).
+The curl project does not run any bounty program on its own, but there are
+outside organizations that do. First report your issue the normal way and
+proceed as described in this document.
-This bounty is relying on funds from
-[sponsors](https://bountygraph.com/programs/curl#publicpledges). If you use
-curl professionally, consider help funding this!
+Then, if the issue is [critical](https://hackerone.com/ibb-data), you are
+eligible to apply for a bounty from Hackerone for your find.
+Once your reported vulnerability has been publicly disclosed by the curl
+project, you can submit a [report to them](https://hackerone.com/ibb-data). \ No newline at end of file