From 10e4dd6a7b3b2bc512223c4d94607f12443aab9f Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 20 Apr 2019 12:19:47 +0200
Subject: docs/BUG-BOUNTY: bug bounty time [skip ci]

Introducing the curl bug bounty program on hackerone. We now recommend
filing security issues directly in the hackerone ticket system which
only is readable to curl security team members.

Assisted-by: Daniel Gustafsson

Closes #3488
---
 docs/BUGS | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'docs/BUGS')

diff --git a/docs/BUGS b/docs/BUGS
index 7322d9b21..480e0caec 100644
--- a/docs/BUGS
+++ b/docs/BUGS
@@ -61,9 +61,14 @@ BUGS
   using our security development process.
 
   Security related bugs or bugs that are suspected to have a security impact,
-  should be reported by email to curl-security@haxx.se so that they first can
-  be dealt with away from the public to minimize the harm and impact it will
-  have on existing users out there who might be using the vulnerable versions.
+  should be reported on the curl security tracker at HackerOne:
+
+        https://hackerone.com/curl
+
+  This ensures that the report reaches the curl security team so that they
+  first can be deal with the report away from the public to minimize the harm
+  and impact it will have on existing users out there who might be using the
+  vulnerable versions.
 
   The curl project's process for handling security related issues is
   documented here:
-- 
cgit v1.2.3