From 3cae1cd69924893b4ef6f9c7fe9ab1195ed48554 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 21 Sep 2018 23:21:30 +0200 Subject: [PATCH] SECURITY-PROCESS: mention the bountygraph program [ci skip] Closes #3032 --- docs/SECURITY-PROCESS.md | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/docs/SECURITY-PROCESS.md b/docs/SECURITY-PROCESS.md index 6cae5036b4..adcbd740c6 100644 --- a/docs/SECURITY-PROCESS.md +++ b/docs/SECURITY-PROCESS.md @@ -121,15 +121,32 @@ Publishing Security Advisories 6. On security advisory release day, push the changes on the curl-www repository's remote master branch. +Bountygraph Bug Bounty +---------------------- + +The curl project runs a bug bounty program in association with +bountygraph.com. + +After you have reported a security issue to the curl project, it has been +deemed credible and a patch and advisory has been made public you can be +eligible for a bounty from this program. + +See all details at https://bountygraph.com/programs/curl + +This bounty is relying on funds from sponsors. If you use curl professionally, +consider help funding this! + Hackerone Internet Bug Bounty ----------------------------- -The curl project does not run any bounty program on its own, but there are -outside organizations that do. First report your issue the normal way and -proceed as described in this document. +This bounty program is run by an independent outside organization: Hackerone. +First report your issue the normal way and proceed as described in this +document. Then, if the issue is [critical](https://hackerone.com/ibb-data), you are eligible to apply for a bounty from Hackerone for your find. Once your reported vulnerability has been publicly disclosed by the curl -project, you can submit a [report to them](https://hackerone.com/ibb-data). \ No newline at end of file +project, you can submit a [report to them](https://hackerone.com/ibb-data). + +You will not be able to claim bounties from more than one bounty program.