mirror of
https://github.com/moparisthebest/curl
synced 2024-12-24 09:08:49 -05:00
BUG-BOUNTY.md: add the Dropbox "bonus" extra payout ability [ci skip]
Closes #3839
This commit is contained in:
parent
f4603708af
commit
489a4be12a
@ -13,7 +13,7 @@ After you have reported a security issue, it has been deemed credible, and a
|
|||||||
patch and advisory has been made public, you may be eligible for a bounty from
|
patch and advisory has been made public, you may be eligible for a bounty from
|
||||||
this program.
|
this program.
|
||||||
|
|
||||||
See all details at https://hackerone.com/curl.
|
See all details at https://hackerone.com/curl
|
||||||
|
|
||||||
This bounty is relying on funds from sponsors. If you use curl professionally,
|
This bounty is relying on funds from sponsors. If you use curl professionally,
|
||||||
consider help funding this! See https://opencollective.com/curl for details.
|
consider help funding this! See https://opencollective.com/curl for details.
|
||||||
@ -28,12 +28,7 @@ We offer reward money *up to* a certain amount per severity. The curl security
|
|||||||
team determines the severity of each reported flaw on a case by case basis and
|
team determines the severity of each reported flaw on a case by case basis and
|
||||||
the exact amount rewarded to the reporter is then decided.
|
the exact amount rewarded to the reporter is then decided.
|
||||||
|
|
||||||
At the start of the program, the award amounts are:
|
Check out the current award amounts at https://hackerone.com/curl
|
||||||
|
|
||||||
Critical: 2,000 USD
|
|
||||||
High: 1,500 USD
|
|
||||||
Medium: 1,000 USD
|
|
||||||
Low: 500 USD
|
|
||||||
|
|
||||||
# Who is eligible for a reward?
|
# Who is eligible for a reward?
|
||||||
|
|
||||||
@ -88,3 +83,22 @@ In the event that the individual receiving a curl bug bounty needs to pay
|
|||||||
taxes on the reward money, the responsibility lies with the receiver. The
|
taxes on the reward money, the responsibility lies with the receiver. The
|
||||||
curl project or its security team never actually receive any of this money,
|
curl project or its security team never actually receive any of this money,
|
||||||
hold the money, or pay out the money.
|
hold the money, or pay out the money.
|
||||||
|
|
||||||
|
## Bonus levels
|
||||||
|
|
||||||
|
In cooperation with [Dropbox](https://www.dropbox.com) the curl bug bounty can
|
||||||
|
offer the highest levels of rewards if the issue covers one of the interest
|
||||||
|
areas of theirs - and only if the bug is graded *high* or *critical*. A
|
||||||
|
non-exhaustive list of vulnerabilities Dropbox is interested in are:
|
||||||
|
|
||||||
|
- RCE
|
||||||
|
- URL parsing vulnerabilities with demonstrable security impact
|
||||||
|
|
||||||
|
Dropbox would generally hand out rewards for critical vulnerabilities ranging
|
||||||
|
from 12k-32k USD where RCE is on the upper end of the spectrum.
|
||||||
|
|
||||||
|
URL parsing vulnerabilities with demonstrable security impact might include
|
||||||
|
incorrectly determining the authority of a URL when a special character is
|
||||||
|
inserted into the path of the URL (as a hypothetical). This type of
|
||||||
|
vulnerability would likely yield 6k-12k unless further impact could be
|
||||||
|
demonstrated.
|
||||||
|
Loading…
Reference in New Issue
Block a user