docs/BUG-BOUNTY: the sponsors actually decide the amount

Retract the previous approach as the sponsors will be the ones to set the final amounts. Closes #3152 [ci skip]
2024-11-16 06:25:03 -05:00 · 2018-10-20 10:54:19 +02:00 · 2018-10-20 10:54:19 +02:00 · db1338474c
commit db1338474c
parent 05564e750e
1 changed files with 8 additions and 14 deletions
--- a/docs/BUG-BOUNTY.md
+++ b/docs/BUG-BOUNTY.md
@ -15,17 +15,12 @@
 ## How much money is the bounty at

 The curl projects offer monetary compensation for reported and published
- security vulnerabilities. The amount of money rewarded depends on how serious
- the flaw is determined to be.
+ security vulnerabilities. The amount of money that is rewarded depends on how
+ serious the flaw is determined to be.

- We offer reward money *up to* these amounts. The curl security team will
- solely and exclusively determine the exact amount for each reported flaw on a
- case by case basis and keep the rights to adjust the amount as it sees fit.
-
- - Low      USD 500
- - Medium   USD 1,000
- - High     USD 5,000
- - Critical USD 10,000
+ We offer reward money *up to* the total amount of the fund. The curl security
+ team determines the severity of each reported flaw on a case by case basis
+ and the exact amount rewarded to the reporter is then decided by the sponsor.

 ## Who's eligible for a reward

@ -60,11 +55,10 @@
 ## How are reward amounts determined

 The curl security team first gives the vulnerability a score, as mentioned
- above, and based on that level the team may increase or decrease the bounty
- amount from the general template depending on the specifics of the individual
- case.
+ above, and based on that level the sponsor sets the bounty amount depending
+ on the specifics of the individual case.

- The curl security team will be the sole arbiter of the bounty amount.
+ The bounty fund sponsor is the arbiter of the bounty amount.

 ## What happens if the bounty fund is drained