diff --git a/docs/BUG-BOUNTY.md b/docs/BUG-BOUNTY.md new file mode 100644 index 000000000..896d82568 --- /dev/null +++ b/docs/BUG-BOUNTY.md @@ -0,0 +1,78 @@ +# The curl bug bounty + + The curl project runs a bug bounty program in association with + bountygraph.com. + + After you have reported a security issue to the curl project, it has been + deemed credible and a patch and advisory has been made public you can be + eligible for a bounty from this program. + + See all details at https://bountygraph.com/programs/curl + + This bounty is relying on funds from sponsors. If you use curl professionally, + consider help funding this! + +## How much money is the bounty at + + The curl projects offer monetary compensation for reported and published + security vulnerabilities. The amount of money rewarded depends on how serious + the flaw is determined to be. + + We offer reward money *up to* these amounts. The curl security team will + solely and exclusively determine the exact amount for each reported flaw on a + case by case basis and keep the rights to adjust the amount as it sees fit. + + - Low USD 500 + - Medium USD 1,000 + - High USD 5,000 + - Critical USD 10,000 + +## Who's eligible for a reward + + Everyone and anyone who reports a security problem in a released curl version + that hasn't already been reported can ask for a bounty. + + The vulnerability has to be fixed and publicly announced (by the curl + project) before a bug bounty will be considered. + + Bounties need to be requested within twelve months from the publication of + the vulnerability. + +## Product vulnerabilities only + + The bug bounty only concerns the curl and libcurl products and thus their + respective source codes - when running on existing hardware. It does not + include documentation, web sites or other infrastructure. + + The curl security team will be the sole arbiter if a reported flaw can be + subject to a bounty or not. + +## How are vulnerabilities graded + + The grading of each reported vulnerability that makes a reward claim will be + performed by the curl security team. The grading will be based on the CVSS + (Common Vulnerability Scoring System) 3.0. + +## How are reward amounts determined + + The curl security team first gives the vulnerability a score, as mentioned + above, and based on that level the team may increase or decrease the bounty + amount from the general template depending on the specifics of the individual + case. + + The curl security team will be the sole arbiter of the bounty amount. + +## What happens if the bounty fund is drained + + The bounty fund depends on sponsors. If we pay out more bounties than we add, + the fund will eventually drain. If that end up happening, we will simply not + be able to pay out as high bounties as we would like and hope that we can + convince new sponsors to help us top up the fund again. + +## Regarding taxes etc on the bounties + + In the event that the individual receiving a curl bug bounty needs to pay + taxes on the reward money, that's something for the receiver (and + bountygraph.com?) to work out and handle. The curl project or its security + team never actually receive any of this money, hold the money or pay out the + money.