aboutsummaryrefslogtreecommitdiff
path: root/docs/SECURITY-PROCESS.md
diff options
context:
space:
mode:
Diffstat (limited to 'docs/SECURITY-PROCESS.md')
-rw-r--r--docs/SECURITY-PROCESS.md25
1 files changed, 21 insertions, 4 deletions
diff --git a/docs/SECURITY-PROCESS.md b/docs/SECURITY-PROCESS.md
index 6cae5036b..adcbd740c 100644
--- a/docs/SECURITY-PROCESS.md
+++ b/docs/SECURITY-PROCESS.md
@@ -121,15 +121,32 @@ Publishing Security Advisories
6. On security advisory release day, push the changes on the curl-www
repository's remote master branch.
+Bountygraph Bug Bounty
+----------------------
+
+The curl project runs a bug bounty program in association with
+bountygraph.com.
+
+After you have reported a security issue to the curl project, it has been
+deemed credible and a patch and advisory has been made public you can be
+eligible for a bounty from this program.
+
+See all details at https://bountygraph.com/programs/curl
+
+This bounty is relying on funds from sponsors. If you use curl professionally,
+consider help funding this!
+
Hackerone Internet Bug Bounty
-----------------------------
-The curl project does not run any bounty program on its own, but there are
-outside organizations that do. First report your issue the normal way and
-proceed as described in this document.
+This bounty program is run by an independent outside organization: Hackerone.
+First report your issue the normal way and proceed as described in this
+document.
Then, if the issue is [critical](https://hackerone.com/ibb-data), you are
eligible to apply for a bounty from Hackerone for your find.
Once your reported vulnerability has been publicly disclosed by the curl
-project, you can submit a [report to them](https://hackerone.com/ibb-data). \ No newline at end of file
+project, you can submit a [report to them](https://hackerone.com/ibb-data).
+
+You will not be able to claim bounties from more than one bounty program.