SECURITY-PROCESS: mention the bountygraph program [ci skip]

Closes #3032
This commit is contained in:
Daniel Stenberg 2018-09-21 23:21:30 +02:00
parent 46e164069d
commit 3cae1cd699
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2

View File

@ -121,15 +121,32 @@ Publishing Security Advisories
6. On security advisory release day, push the changes on the curl-www
repository's remote master branch.
Bountygraph Bug Bounty
----------------------
The curl project runs a bug bounty program in association with
bountygraph.com.
After you have reported a security issue to the curl project, it has been
deemed credible and a patch and advisory has been made public you can be
eligible for a bounty from this program.
See all details at https://bountygraph.com/programs/curl
This bounty is relying on funds from sponsors. If you use curl professionally,
consider help funding this!
Hackerone Internet Bug Bounty
-----------------------------
The curl project does not run any bounty program on its own, but there are
outside organizations that do. First report your issue the normal way and
proceed as described in this document.
This bounty program is run by an independent outside organization: Hackerone.
First report your issue the normal way and proceed as described in this
document.
Then, if the issue is [critical](https://hackerone.com/ibb-data), you are
eligible to apply for a bounty from Hackerone for your find.
Once your reported vulnerability has been publicly disclosed by the curl
project, you can submit a [report to them](https://hackerone.com/ibb-data).
You will not be able to claim bounties from more than one bounty program.