docs: minor polish to the bug bounty / security docs

Closes #3811

README

@@ -42,6 +42,12 @@ GIT
 
   (you'll get a directory named curl created, filled with the source code)
 
+SECURITY PROBLEMS
+
+  Report suspected security problems via our HackerOne page and not in public!
+
+    https://hackerone.com/curl
+
 NOTICE
 
   Curl contains pieces of source code that is Copyright (c) 1998, 1999

README.md

@@ -52,7 +52,7 @@ To download the very latest source from the Git server do this:
 
 ## Security problems
 
-Report supected security problems on [our hackerone
+Report suspected security problems via [our HackerOne
 page](https://hackerone.com/curl) and not in public!
 
 ## Notice

docs/BUG-BOUNTY.md

@@ -1,23 +1,24 @@
 # The curl bug bounty
 
 The curl project runs a bug bounty program in association with
-[HackerOne](https://www.hackerone.com/).
+[HackerOne](https://www.hackerone.com) and the [Internet Bug
+Bounty](https://internetbugbounty.org].
 
 # How does it work?
 
 Start out by posting your suspected security vulnerability directly to [curl's
-hackerone security bug tracker](https://www.hackerone.com/curl).
+HackerOne program](https://hackerone.com/curl).
 
-After you have reported a security issue, it has been deemed credible and a
+After you have reported a security issue, it has been deemed credible, and a
-patch and advisory has been made public you can be eligible for a bounty from
+patch and advisory has been made public, you may be eligible for a bounty from
 this program.
 
-See all details at [https://hackerone.com/curl](https://hackerone.com/curl)
+See all details at https://hackerone.com/curl.
 
 This bounty is relying on funds from sponsors. If you use curl professionally,
-consider help funding this!
+consider help funding this! See https://opencollective.com/curl for details.
 
-# How much money is the bounty at
+# What are the reward amounts?
 
 The curl projects offer monetary compensation for reported and published
 security vulnerabilities. The amount of money that is rewarded depends on how
@@ -34,13 +35,13 @@ At the start of the program, the award amounts are:
  Medium:   1,000 USD
  Low:        500 USD
 
-# Who's eligible for a reward
+# Who is eligible for a reward?
 
 Everyone and anyone who reports a security problem in a released curl version
 that hasn't already been reported can ask for a bounty.
 
-Vulnerabilities in features which are off by default and documented as
+Vulnerabilities in features that are off by default and documented as
-experimental, are not eligible for a reward.
+experimental are not eligible for a reward.
 
 The vulnerability has to be fixed and publicly announced (by the curl project)
 before a bug bounty will be considered.
@@ -49,41 +50,41 @@ Bounties need to be requested within twelve months from the publication of the
 vulnerability.
 
 The vulnerabilities must not have been made public before February 1st, 2019.
-We do not retroactively pay for old, already known and published security
+We do not retroactively pay for old, already known, or published security
 problems.
 
 # Product vulnerabilities only
 
 This bug bounty only concerns the curl and libcurl products and thus their
 respective source codes - when running on existing hardware. It does not
-include documentation, web sites or other infrastructure.
+include documentation, websites, or other infrastructure.
 
 The curl security team will be the sole arbiter if a reported flaw can be
 subject to a bounty or not.
 
-# How are vulnerabilities graded
+# How are vulnerabilities graded?
 
 The grading of each reported vulnerability that makes a reward claim will be
 performed by the curl security team. The grading will be based on the CVSS
 (Common Vulnerability Scoring System) 3.0.
 
-# How are reward amounts determined
+# How are reward amounts determined?
 
 The curl security team first gives the vulnerability a score, as mentioned
 above, and based on that level we set an amount depending on the specifics of
 the individual case. Other sponsors of the program might also get involved and
 can raise the amounts depending on the particular issue.
 
-# What happens if the bounty fund is drained
+# What happens if the bounty fund is drained?
 
 The bounty fund depends on sponsors. If we pay out more bounties than we add,
 the fund will eventually drain. If that end up happening, we will simply not
 be able to pay out as high bounties as we would like and hope that we can
 convince new sponsors to help us top up the fund again.
 
-# Regarding taxes etc on the bounties
+# Regarding taxes, etc. on the bounties
 
 In the event that the individual receiving a curl bug bounty needs to pay
-taxes on the reward money, that's something for the receiver to work out and
+taxes on the reward money, the responsibility lies with the receiver. The
-handle together with hackerone. The curl project or its security team never
+curl project or its security team never actually receive any of this money,
-actually receive any of this money, hold the money or pay out the money.
+hold the money, or pay out the money.

docs/SECURITY-PROCESS.md

@@ -60,7 +60,7 @@ announcement.
   Figure out the CWE (Common Weakness Enumeration) number for the flaw.
 
 - Request a CVE number from
-  [Hackerone](https://docs.hackerone.com/programs/cve-requests.html)
+  [HackerOne](https://docs.hackerone.com/programs/cve-requests.html)
 
 - Consider informing
   [distros@openwall](https://oss-security.openwall.org/wiki/mailing-lists/distros)
@@ -125,8 +125,8 @@ Publishing Security Advisories
 6. On security advisory release day, push the changes on the curl-www
    repository's remote master branch.
 
-Hackerone Internet Bug Bounty
+Bug Bounty
------------------------------
+----------
 
 See [BUG-BOUNTY](BUG-BOUNTY.md) for specific details on the bug bounty
 program.