curl/SECURITY.md

<!--
Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.

SPDX-License-Identifier: curl
-->

# Security Policy

Read our [Vulnerability Disclosure Policy](docs/VULN-DISCLOSURE-POLICY.md).

## Reporting a Vulnerability

If you have found or just suspect a security problem somewhere in curl or
libcurl, report it on [HackerOne](https://hackerone.com/curl).

We treat security issues with confidentiality until controlled and disclosed responsibly.

## OpenSSF Best Practices

curl has achieved Gold status on the Open Source Security Foundation (OpenSSF)
[Best Practices](https://bestpractices.dev/) (formerly Core Infrastructure
Initiative Best Practices), reflecting its adherence to rigorous
security and best practice standards. This achievement highlights curl's
comprehensive documentation, secure development processes, effective change
control mechanisms, and strong maintenance routines. Meeting these criteria
demonstrates curl's commitment to security and reliability, ensuring the
project's sustainability and trustworthiness. This underscores curl's role as
a leader in open-source software practices. More information can be found on
[curl's OpenSSF Best Practices project page](https://www.bestpractices.dev/projects/63).
copyright: make repository REUSE compliant Add licensing and copyright information for all files in this repository. This either happens in the file itself as a comment header or in the file `.reuse/dep5`. This commit also adds a Github workflow to check pull requests and adapts copyright.pl to the changes. Closes #8869 2022-05-17 17:16:50 +08:00			`<!--`
copyright: update all copyright lines and remove year ranges - they are mostly pointless in all major jurisdictions - many big corporations and projects already don't use them - saves us from pointless churn - git keeps history for us - the year range is kept in COPYING checksrc is updated to allow non-year using copyright statements Closes #10205 2023-01-02 20:51:48 +08:00			`Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.`
copyright: make repository REUSE compliant Add licensing and copyright information for all files in this repository. This either happens in the file itself as a comment header or in the file `.reuse/dep5`. This commit also adds a Github workflow to check pull requests and adapts copyright.pl to the changes. Closes #8869 2022-05-17 17:16:50 +08:00
SECURITY.md: minor rephrase Closes #5158 2020-03-28 08:34:51 +08:00			`SPDX-License-Identifier: curl`
copyright: make repository REUSE compliant Add licensing and copyright information for all files in this repository. This either happens in the file itself as a comment header or in the file `.reuse/dep5`. This commit also adds a Github workflow to check pull requests and adapts copyright.pl to the changes. Closes #8869 2022-05-17 17:16:50 +08:00			`-->`

SECURITY.md: created Brief security policy description for use/display on github. 2019-06-10 16:16:02 +08:00			`# Security Policy`

SECURITY-PROCESS.md. call it vulnerability disclosure policy SECURITY-PROCESS.md -> VULN-DISCLOSURE-POLICY.md This a name commonly used for a document like this. This name helps users find it. Closes #11852 2023-09-14 22:41:19 +08:00			`Read our [Vulnerability Disclosure Policy](docs/VULN-DISCLOSURE-POLICY.md).`
SECURITY.md: created Brief security policy description for use/display on github. 2019-06-10 16:16:02 +08:00
			`## Reporting a Vulnerability`

docs: spellfixes Pointed by the new CI job 2022-09-21 05:30:19 +08:00			`If you have found or just suspect a security problem somewhere in curl or`
			`libcurl, report it on [HackerOne](https://hackerone.com/curl).`
SECURITY.md: created Brief security policy description for use/display on github. 2019-06-10 16:16:02 +08:00
SECURITY.md: minor rephrase Closes #5158 2020-03-28 08:34:51 +08:00			`We treat security issues with confidentiality until controlled and disclosed responsibly.`
SECURITY: mention OpenSSF best practices gold badge Closes #14319 2024-07-31 01:24:13 +08:00
docs: Clarify OpenSSF Best Practices vs Scorecard SECURITY.md has a recently added section titled OpenSSF Scorecard that actually documents OpenSSF Best Practices. Scorecard [0] is a different OpenSSF project, that incorporates Best Practices, but is distinct in its objectives and how it achieves them. This change clarifies the terminology, and also removes any implication that Gold Best Practices is an award rather than a self certification programme. As curl was a leader in implementing Best Practices some folk may be more familiar with the earlier Core Infrastructure Initiative (CII) naming, so a reference to that has been added. [0] https://scorecard.dev/ Signed-off-by: Chris Swan <478926+cpswan@users.noreply.github.com> Ref: #14319 Closes #14635 2024-08-21 21:26:59 +08:00			`## OpenSSF Best Practices`

			`curl has achieved Gold status on the Open Source Security Foundation (OpenSSF)`
			`[Best Practices](https://bestpractices.dev/) (formerly Core Infrastructure`
			`Initiative Best Practices), reflecting its adherence to rigorous`
			`security and best practice standards. This achievement highlights curl's`
			`comprehensive documentation, secure development processes, effective change`
			`control mechanisms, and strong maintenance routines. Meeting these criteria`
			`demonstrates curl's commitment to security and reliability, ensuring the`
			`project's sustainability and trustworthiness. This underscores curl's role as`
			`a leader in open-source software practices. More information can be found on`
			`[curl's OpenSSF Best Practices project page](https://www.bestpractices.dev/projects/63).`