1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-23 16:48:49 -05:00

BUG-BOUNTY.md: add the Dropbox "bonus" extra payout ability [ci skip]

Closes #3839
This commit is contained in:
Daniel Stenberg 2019-05-04 23:58:11 +02:00
parent f4603708af
commit 489a4be12a
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2

View File

@ -13,7 +13,7 @@ After you have reported a security issue, it has been deemed credible, and a
patch and advisory has been made public, you may be eligible for a bounty from patch and advisory has been made public, you may be eligible for a bounty from
this program. this program.
See all details at https://hackerone.com/curl. See all details at https://hackerone.com/curl
This bounty is relying on funds from sponsors. If you use curl professionally, This bounty is relying on funds from sponsors. If you use curl professionally,
consider help funding this! See https://opencollective.com/curl for details. consider help funding this! See https://opencollective.com/curl for details.
@ -28,12 +28,7 @@ We offer reward money *up to* a certain amount per severity. The curl security
team determines the severity of each reported flaw on a case by case basis and team determines the severity of each reported flaw on a case by case basis and
the exact amount rewarded to the reporter is then decided. the exact amount rewarded to the reporter is then decided.
At the start of the program, the award amounts are: Check out the current award amounts at https://hackerone.com/curl
Critical: 2,000 USD
High: 1,500 USD
Medium: 1,000 USD
Low: 500 USD
# Who is eligible for a reward? # Who is eligible for a reward?
@ -88,3 +83,22 @@ In the event that the individual receiving a curl bug bounty needs to pay
taxes on the reward money, the responsibility lies with the receiver. The taxes on the reward money, the responsibility lies with the receiver. The
curl project or its security team never actually receive any of this money, curl project or its security team never actually receive any of this money,
hold the money, or pay out the money. hold the money, or pay out the money.
## Bonus levels
In cooperation with [Dropbox](https://www.dropbox.com) the curl bug bounty can
offer the highest levels of rewards if the issue covers one of the interest
areas of theirs - and only if the bug is graded *high* or *critical*. A
non-exhaustive list of vulnerabilities Dropbox is interested in are:
- RCE
- URL parsing vulnerabilities with demonstrable security impact
Dropbox would generally hand out rewards for critical vulnerabilities ranging
from 12k-32k USD where RCE is on the upper end of the spectrum.
URL parsing vulnerabilities with demonstrable security impact might include
incorrectly determining the authority of a URL when a special character is
inserted into the path of the URL (as a hypothetical). This type of
vulnerability would likely yield 6k-12k unless further impact could be
demonstrated.