diff options
-rw-r--r-- | docs/BUG-BOUNTY.md | 76 | ||||
-rw-r--r-- | docs/SECURITY-PROCESS.md | 22 |
2 files changed, 9 insertions, 89 deletions
diff --git a/docs/BUG-BOUNTY.md b/docs/BUG-BOUNTY.md deleted file mode 100644 index 0c881b83f..000000000 --- a/docs/BUG-BOUNTY.md +++ /dev/null @@ -1,76 +0,0 @@ -# The curl bug bounty - - The curl project runs a bug bounty program in association with - bountygraph.com. - - After you have reported a security issue to the curl project, it has been - deemed credible and a patch and advisory has been made public you can be - eligible for a bounty from this program. - - See all details at https://bountygraph.com/programs/curl - - This bounty is relying on funds from sponsors. If you use curl professionally, - consider help funding this! - -## How much money is the bounty at - - The curl projects offer monetary compensation for reported and published - security vulnerabilities. The amount of money that is rewarded depends on how - serious the flaw is determined to be. - - We offer reward money *up to* the total amount of the fund. The curl security - team determines the severity of each reported flaw on a case by case basis - and the exact amount rewarded to the reporter is then decided by the sponsor. - -## Who's eligible for a reward - - Everyone and anyone who reports a security problem in a released curl version - that hasn't already been reported can ask for a bounty. - - The vulnerability has to be fixed and publicly announced (by the curl - project) before a bug bounty will be considered. - - Bounties need to be requested within twelve months from the publication of - the vulnerability. - - The vulnerabilities must not have been made public before August 1st, 2018. - We do not retroactively pay for old, already known and published security - problems. - -## Product vulnerabilities only - - The bug bounty only concerns the curl and libcurl products and thus their - respective source codes - when running on existing hardware. It does not - include documentation, web sites or other infrastructure. - - The curl security team will be the sole arbiter if a reported flaw can be - subject to a bounty or not. - -## How are vulnerabilities graded - - The grading of each reported vulnerability that makes a reward claim will be - performed by the curl security team. The grading will be based on the CVSS - (Common Vulnerability Scoring System) 3.0. - -## How are reward amounts determined - - The curl security team first gives the vulnerability a score, as mentioned - above, and based on that level the sponsor sets the bounty amount depending - on the specifics of the individual case. - - The bounty fund sponsor is the arbiter of the bounty amount. - -## What happens if the bounty fund is drained - - The bounty fund depends on sponsors. If we pay out more bounties than we add, - the fund will eventually drain. If that end up happening, we will simply not - be able to pay out as high bounties as we would like and hope that we can - convince new sponsors to help us top up the fund again. - -## Regarding taxes etc on the bounties - - In the event that the individual receiving a curl bug bounty needs to pay - taxes on the reward money, that's something for the receiver (and - bountygraph.com?) to work out and handle. The curl project or its security - team never actually receive any of this money, hold the money or pay out the - money. diff --git a/docs/SECURITY-PROCESS.md b/docs/SECURITY-PROCESS.md index 9dd4cb77b..6cae5036b 100644 --- a/docs/SECURITY-PROCESS.md +++ b/docs/SECURITY-PROCESS.md @@ -121,19 +121,15 @@ Publishing Security Advisories 6. On security advisory release day, push the changes on the curl-www repository's remote master branch. -Bountygraph Bug Bounty ----------------------- - -The curl project runs a bug bounty program in association with -bountygraph.com. - -After you have reported a security issue to the curl project, it has been -deemed credible and a patch and advisory has been made public you can be -eligible for a bounty from this program. +Hackerone Internet Bug Bounty +----------------------------- -See all details at [BountyGraph](https://bountygraph.com/programs/curl). +The curl project does not run any bounty program on its own, but there are +outside organizations that do. First report your issue the normal way and +proceed as described in this document. -This bounty is relying on funds from -[sponsors](https://bountygraph.com/programs/curl#publicpledges). If you use -curl professionally, consider help funding this! +Then, if the issue is [critical](https://hackerone.com/ibb-data), you are +eligible to apply for a bounty from Hackerone for your find. +Once your reported vulnerability has been publicly disclosed by the curl +project, you can submit a [report to them](https://hackerone.com/ibb-data).
\ No newline at end of file |