From 10e4dd6a7b3b2bc512223c4d94607f12443aab9f Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sat, 20 Apr 2019 12:19:47 +0200 Subject: docs/BUG-BOUNTY: bug bounty time [skip ci] Introducing the curl bug bounty program on hackerone. We now recommend filing security issues directly in the hackerone ticket system which only is readable to curl security team members. Assisted-by: Daniel Gustafsson Closes #3488 --- docs/BUG-BOUNTY.md | 89 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 docs/BUG-BOUNTY.md (limited to 'docs/BUG-BOUNTY.md') diff --git a/docs/BUG-BOUNTY.md b/docs/BUG-BOUNTY.md new file mode 100644 index 000000000..5927762d2 --- /dev/null +++ b/docs/BUG-BOUNTY.md @@ -0,0 +1,89 @@ +# The curl bug bounty + +The curl project runs a bug bounty program in association with +[HackerOne](https://www.hackerone.com/). + +# How does it work? + +Start out by posting your suspected security vulnerability directly to [curl's +hackerone security bug tracker](https://www.hackerone.com/curl). + +After you have reported a security issue, it has been deemed credible and a +patch and advisory has been made public you can be eligible for a bounty from +this program. + +See all details at [https://hackerone.com/curl](https://hackerone.com/curl) + +This bounty is relying on funds from sponsors. If you use curl professionally, +consider help funding this! + +# How much money is the bounty at + +The curl projects offer monetary compensation for reported and published +security vulnerabilities. The amount of money that is rewarded depends on how +serious the flaw is determined to be. + +We offer reward money *up to* a certain amount per severity. The curl security +team determines the severity of each reported flaw on a case by case basis and +the exact amount rewarded to the reporter is then decided. + +At the start of the program, the award amounts are: + + Critical: 2,000 USD + High: 1,500 USD + Medium: 1,000 USD + Low: 500 USD + +# Who's eligible for a reward + +Everyone and anyone who reports a security problem in a released curl version +that hasn't already been reported can ask for a bounty. + +Vulnerabilities in features which are off by default and documented as +experimental, are not eligible for a reward. + +The vulnerability has to be fixed and publicly announced (by the curl project) +before a bug bounty will be considered. + +Bounties need to be requested within twelve months from the publication of the +vulnerability. + +The vulnerabilities must not have been made public before February 1st, 2019. +We do not retroactively pay for old, already known and published security +problems. + +# Product vulnerabilities only + +This bug bounty only concerns the curl and libcurl products and thus their +respective source codes - when running on existing hardware. It does not +include documentation, web sites or other infrastructure. + +The curl security team will be the sole arbiter if a reported flaw can be +subject to a bounty or not. + +# How are vulnerabilities graded + +The grading of each reported vulnerability that makes a reward claim will be +performed by the curl security team. The grading will be based on the CVSS +(Common Vulnerability Scoring System) 3.0. + +# How are reward amounts determined + +The curl security team first gives the vulnerability a score, as mentioned +above, and based on that level we set an amount depending on the specifics of +the individual case. Other sponsors of the program might also get involved and +can raise the amounts depending on the particular issue. + +# What happens if the bounty fund is drained + +The bounty fund depends on sponsors. If we pay out more bounties than we add, +the fund will eventually drain. If that end up happening, we will simply not +be able to pay out as high bounties as we would like and hope that we can +convince new sponsors to help us top up the fund again. + +# Regarding taxes etc on the bounties + +In the event that the individual receiving a curl bug bounty needs to pay +taxes on the reward money, that's something for the receiver to work out and +handle together with hackerone. The curl project or its security team never +actually receive any of this money, hold the money or pay out the money. -- cgit v1.2.3