mirror of
https://github.com/moparisthebest/curl
synced 2024-12-23 08:38:49 -05:00
BUG-BOUNTY.md: add the Dropbox "bonus" extra payout ability [ci skip]
Closes #3839
This commit is contained in:
parent
f4603708af
commit
489a4be12a
@ -13,7 +13,7 @@ After you have reported a security issue, it has been deemed credible, and a
|
||||
patch and advisory has been made public, you may be eligible for a bounty from
|
||||
this program.
|
||||
|
||||
See all details at https://hackerone.com/curl.
|
||||
See all details at https://hackerone.com/curl
|
||||
|
||||
This bounty is relying on funds from sponsors. If you use curl professionally,
|
||||
consider help funding this! See https://opencollective.com/curl for details.
|
||||
@ -28,12 +28,7 @@ We offer reward money *up to* a certain amount per severity. The curl security
|
||||
team determines the severity of each reported flaw on a case by case basis and
|
||||
the exact amount rewarded to the reporter is then decided.
|
||||
|
||||
At the start of the program, the award amounts are:
|
||||
|
||||
Critical: 2,000 USD
|
||||
High: 1,500 USD
|
||||
Medium: 1,000 USD
|
||||
Low: 500 USD
|
||||
Check out the current award amounts at https://hackerone.com/curl
|
||||
|
||||
# Who is eligible for a reward?
|
||||
|
||||
@ -88,3 +83,22 @@ In the event that the individual receiving a curl bug bounty needs to pay
|
||||
taxes on the reward money, the responsibility lies with the receiver. The
|
||||
curl project or its security team never actually receive any of this money,
|
||||
hold the money, or pay out the money.
|
||||
|
||||
## Bonus levels
|
||||
|
||||
In cooperation with [Dropbox](https://www.dropbox.com) the curl bug bounty can
|
||||
offer the highest levels of rewards if the issue covers one of the interest
|
||||
areas of theirs - and only if the bug is graded *high* or *critical*. A
|
||||
non-exhaustive list of vulnerabilities Dropbox is interested in are:
|
||||
|
||||
- RCE
|
||||
- URL parsing vulnerabilities with demonstrable security impact
|
||||
|
||||
Dropbox would generally hand out rewards for critical vulnerabilities ranging
|
||||
from 12k-32k USD where RCE is on the upper end of the spectrum.
|
||||
|
||||
URL parsing vulnerabilities with demonstrable security impact might include
|
||||
incorrectly determining the authority of a URL when a special character is
|
||||
inserted into the path of the URL (as a hypothetical). This type of
|
||||
vulnerability would likely yield 6k-12k unless further impact could be
|
||||
demonstrated.
|
||||
|
Loading…
Reference in New Issue
Block a user