mirror of
https://github.com/curl/curl.git
synced 2025-01-30 14:22:33 +08:00
SECURITY-PROCESS: bountygraph shuts down
This backpedals back the documents to the state before bountygraph. Closes #3311
This commit is contained in:
Daniel Stenberg
parent
650281ed5b
commit
4a01a20bdb
@ -1,76 +0,0 @@
|
||||
# The curl bug bounty
|
||||
|
||||
The curl project runs a bug bounty program in association with
|
||||
bountygraph.com.
|
||||
|
||||
After you have reported a security issue to the curl project, it has been
|
||||
deemed credible and a patch and advisory has been made public you can be
|
||||
eligible for a bounty from this program.
|
||||
|
||||
See all details at https://bountygraph.com/programs/curl
|
||||
|
||||
This bounty is relying on funds from sponsors. If you use curl professionally,
|
||||
consider help funding this!
|
||||
|
||||
## How much money is the bounty at
|
||||
|
||||
The curl projects offer monetary compensation for reported and published
|
||||
security vulnerabilities. The amount of money that is rewarded depends on how
|
||||
serious the flaw is determined to be.
|
||||
|
||||
We offer reward money *up to* the total amount of the fund. The curl security
|
||||
team determines the severity of each reported flaw on a case by case basis
|
||||
and the exact amount rewarded to the reporter is then decided by the sponsor.
|
||||
|
||||
## Who's eligible for a reward
|
||||
|
||||
Everyone and anyone who reports a security problem in a released curl version
|
||||
that hasn't already been reported can ask for a bounty.
|
||||
|
||||
The vulnerability has to be fixed and publicly announced (by the curl
|
||||
project) before a bug bounty will be considered.
|
||||
|
||||
Bounties need to be requested within twelve months from the publication of
|
||||
the vulnerability.
|
||||
|
||||
The vulnerabilities must not have been made public before August 1st, 2018.
|
||||
We do not retroactively pay for old, already known and published security
|
||||
problems.
|
||||
|
||||
## Product vulnerabilities only
|
||||
|
||||
The bug bounty only concerns the curl and libcurl products and thus their
|
||||
respective source codes - when running on existing hardware. It does not
|
||||
include documentation, web sites or other infrastructure.
|
||||
|
||||
The curl security team will be the sole arbiter if a reported flaw can be
|
||||
subject to a bounty or not.
|
||||
|
||||
## How are vulnerabilities graded
|
||||
|
||||
The grading of each reported vulnerability that makes a reward claim will be
|
||||
performed by the curl security team. The grading will be based on the CVSS
|
||||
(Common Vulnerability Scoring System) 3.0.
|
||||
|
||||
## How are reward amounts determined
|
||||
|
||||
The curl security team first gives the vulnerability a score, as mentioned
|
||||
above, and based on that level the sponsor sets the bounty amount depending
|
||||
on the specifics of the individual case.
|
||||
|
||||
The bounty fund sponsor is the arbiter of the bounty amount.
|
||||
|
||||
## What happens if the bounty fund is drained
|
||||
|
||||
The bounty fund depends on sponsors. If we pay out more bounties than we add,
|
||||
the fund will eventually drain. If that end up happening, we will simply not
|
||||
be able to pay out as high bounties as we would like and hope that we can
|
||||
convince new sponsors to help us top up the fund again.
|
||||
|
||||
## Regarding taxes etc on the bounties
|
||||
|
||||
In the event that the individual receiving a curl bug bounty needs to pay
|
||||
taxes on the reward money, that's something for the receiver (and
|
||||
bountygraph.com?) to work out and handle. The curl project or its security
|
||||
team never actually receive any of this money, hold the money or pay out the
|
||||
money.
|
||||
@ -121,19 +121,15 @@ Publishing Security Advisories
|
||||
6. On security advisory release day, push the changes on the curl-www
|
||||
repository's remote master branch.
|
||||
|
||||
Bountygraph Bug Bounty
|
||||
----------------------
|
||||
Hackerone Internet Bug Bounty
|
||||
-----------------------------
|
||||
|
||||
The curl project runs a bug bounty program in association with
|
||||
bountygraph.com.
|
||||
The curl project does not run any bounty program on its own, but there are
|
||||
outside organizations that do. First report your issue the normal way and
|
||||
proceed as described in this document.
|
||||
|
||||
After you have reported a security issue to the curl project, it has been
|
||||
deemed credible and a patch and advisory has been made public you can be
|
||||
eligible for a bounty from this program.
|
||||
|
||||
See all details at [BountyGraph](https://bountygraph.com/programs/curl).
|
||||
|
||||
This bounty is relying on funds from
|
||||
[sponsors](https://bountygraph.com/programs/curl#publicpledges). If you use
|
||||
curl professionally, consider help funding this!
|
||||
Then, if the issue is [critical](https://hackerone.com/ibb-data), you are
|
||||
eligible to apply for a bounty from Hackerone for your find.
|
||||
|
||||
Once your reported vulnerability has been publicly disclosed by the curl
|
||||
project, you can submit a [report to them](https://hackerone.com/ibb-data).
|
||||
Loading…
Reference in New Issue
Block a user