mirror of
https://github.com/moparisthebest/curl
synced 2025-02-28 09:21:50 -05:00
SECURITY-PROCESS: bountygraph shuts down
This backpedals back the documents to the state before bountygraph. Closes #3311
This commit is contained in:
Daniel Stenberg
parent
650281ed5b
commit
4a01a20bdb
@ -1,76 +0,0 @@
|
|||||||
# The curl bug bounty
|
|
||||||
|
|
||||||
The curl project runs a bug bounty program in association with
|
|
||||||
bountygraph.com.
|
|
||||||
|
|
||||||
After you have reported a security issue to the curl project, it has been
|
|
||||||
deemed credible and a patch and advisory has been made public you can be
|
|
||||||
eligible for a bounty from this program.
|
|
||||||
|
|
||||||
See all details at https://bountygraph.com/programs/curl
|
|
||||||
|
|
||||||
This bounty is relying on funds from sponsors. If you use curl professionally,
|
|
||||||
consider help funding this!
|
|
||||||
|
|
||||||
## How much money is the bounty at
|
|
||||||
|
|
||||||
The curl projects offer monetary compensation for reported and published
|
|
||||||
security vulnerabilities. The amount of money that is rewarded depends on how
|
|
||||||
serious the flaw is determined to be.
|
|
||||||
|
|
||||||
We offer reward money *up to* the total amount of the fund. The curl security
|
|
||||||
team determines the severity of each reported flaw on a case by case basis
|
|
||||||
and the exact amount rewarded to the reporter is then decided by the sponsor.
|
|
||||||
|
|
||||||
## Who's eligible for a reward
|
|
||||||
|
|
||||||
Everyone and anyone who reports a security problem in a released curl version
|
|
||||||
that hasn't already been reported can ask for a bounty.
|
|
||||||
|
|
||||||
The vulnerability has to be fixed and publicly announced (by the curl
|
|
||||||
project) before a bug bounty will be considered.
|
|
||||||
|
|
||||||
Bounties need to be requested within twelve months from the publication of
|
|
||||||
the vulnerability.
|
|
||||||
|
|
||||||
The vulnerabilities must not have been made public before August 1st, 2018.
|
|
||||||
We do not retroactively pay for old, already known and published security
|
|
||||||
problems.
|
|
||||||
|
|
||||||
## Product vulnerabilities only
|
|
||||||
|
|
||||||
The bug bounty only concerns the curl and libcurl products and thus their
|
|
||||||
respective source codes - when running on existing hardware. It does not
|
|
||||||
include documentation, web sites or other infrastructure.
|
|
||||||
|
|
||||||
The curl security team will be the sole arbiter if a reported flaw can be
|
|
||||||
subject to a bounty or not.
|
|
||||||
|
|
||||||
## How are vulnerabilities graded
|
|
||||||
|
|
||||||
The grading of each reported vulnerability that makes a reward claim will be
|
|
||||||
performed by the curl security team. The grading will be based on the CVSS
|
|
||||||
(Common Vulnerability Scoring System) 3.0.
|
|
||||||
|
|
||||||
## How are reward amounts determined
|
|
||||||
|
|
||||||
The curl security team first gives the vulnerability a score, as mentioned
|
|
||||||
above, and based on that level the sponsor sets the bounty amount depending
|
|
||||||
on the specifics of the individual case.
|
|
||||||
|
|
||||||
The bounty fund sponsor is the arbiter of the bounty amount.
|
|
||||||
|
|
||||||
## What happens if the bounty fund is drained
|
|
||||||
|
|
||||||
The bounty fund depends on sponsors. If we pay out more bounties than we add,
|
|
||||||
the fund will eventually drain. If that end up happening, we will simply not
|
|
||||||
be able to pay out as high bounties as we would like and hope that we can
|
|
||||||
convince new sponsors to help us top up the fund again.
|
|
||||||
|
|
||||||
## Regarding taxes etc on the bounties
|
|
||||||
|
|
||||||
In the event that the individual receiving a curl bug bounty needs to pay
|
|
||||||
taxes on the reward money, that's something for the receiver (and
|
|
||||||
bountygraph.com?) to work out and handle. The curl project or its security
|
|
||||||
team never actually receive any of this money, hold the money or pay out the
|
|
||||||
money.
|
|
||||||
@ -121,19 +121,15 @@ Publishing Security Advisories
|
|||||||
6. On security advisory release day, push the changes on the curl-www
|
6. On security advisory release day, push the changes on the curl-www
|
||||||
repository's remote master branch.
|
repository's remote master branch.
|
||||||
|
|
||||||
Bountygraph Bug Bounty
|
Hackerone Internet Bug Bounty
|
||||||
----------------------
|
-----------------------------
|
||||||
|
|
||||||
The curl project runs a bug bounty program in association with
|
The curl project does not run any bounty program on its own, but there are
|
||||||
bountygraph.com.
|
outside organizations that do. First report your issue the normal way and
|
||||||
|
proceed as described in this document.
|
||||||
|
|
||||||
After you have reported a security issue to the curl project, it has been
|
Then, if the issue is [critical](https://hackerone.com/ibb-data), you are
|
||||||
deemed credible and a patch and advisory has been made public you can be
|
eligible to apply for a bounty from Hackerone for your find.
|
||||||
eligible for a bounty from this program.
|
|
||||||
|
|
||||||
See all details at [BountyGraph](https://bountygraph.com/programs/curl).
|
|
||||||
|
|
||||||
This bounty is relying on funds from
|
|
||||||
[sponsors](https://bountygraph.com/programs/curl#publicpledges). If you use
|
|
||||||
curl professionally, consider help funding this!
|
|
||||||
|
|
||||||
|
Once your reported vulnerability has been publicly disclosed by the curl
|
||||||
|
project, you can submit a [report to them](https://hackerone.com/ibb-data).
|
||||||
Loading…
x
Reference in New Issue
Block a user