mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2025-02-17 14:59:45 +08:00
Code Issues Packages Projects Releases Wiki Activity

BUG-BOUNTY: removed the cooperation mention

Browse Source
This commit is contained in:
Daniel Stenberg 2021-02-03 14:24:09 +01:00
parent 2f33be817c
commit a030c59c6d
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 0 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
docs/BUG-BOUNTY.md
View File

@ -81,22 +81,3 @@ In the event that the individual receiving a curl bug bounty needs to pay
taxes on the reward money, the responsibility lies with the receiver. The
curl project or its security team never actually receive any of this money,
hold the money, or pay out the money.
## Bonus levels
In cooperation with [Dropbox](https://www.dropbox.com) the curl bug bounty can
offer the highest levels of rewards if the issue covers one of the interest
areas of theirs - and only if the bug is graded *high* or *critical*. A
non-exhaustive list of vulnerabilities Dropbox is interested in are:
- RCE
- URL parsing vulnerabilities with demonstrable security impact
Dropbox would generally hand out rewards for critical vulnerabilities ranging
from 12k-32k USD where RCE is on the upper end of the spectrum.
URL parsing vulnerabilities with demonstrable security impact might include
incorrectly determining the authority of a URL when a special character is
inserted into the path of the URL (as a hypothetical). This type of
vulnerability would likely yield 6k-12k unless further impact could be
demonstrated.