diff options
Diffstat (limited to 'docs/BUG-BOUNTY.md')
-rw-r--r-- | docs/BUG-BOUNTY.md | 76 |
1 files changed, 0 insertions, 76 deletions
diff --git a/docs/BUG-BOUNTY.md b/docs/BUG-BOUNTY.md deleted file mode 100644 index 0c881b83f..000000000 --- a/docs/BUG-BOUNTY.md +++ /dev/null @@ -1,76 +0,0 @@ -# The curl bug bounty - - The curl project runs a bug bounty program in association with - bountygraph.com. - - After you have reported a security issue to the curl project, it has been - deemed credible and a patch and advisory has been made public you can be - eligible for a bounty from this program. - - See all details at https://bountygraph.com/programs/curl - - This bounty is relying on funds from sponsors. If you use curl professionally, - consider help funding this! - -## How much money is the bounty at - - The curl projects offer monetary compensation for reported and published - security vulnerabilities. The amount of money that is rewarded depends on how - serious the flaw is determined to be. - - We offer reward money *up to* the total amount of the fund. The curl security - team determines the severity of each reported flaw on a case by case basis - and the exact amount rewarded to the reporter is then decided by the sponsor. - -## Who's eligible for a reward - - Everyone and anyone who reports a security problem in a released curl version - that hasn't already been reported can ask for a bounty. - - The vulnerability has to be fixed and publicly announced (by the curl - project) before a bug bounty will be considered. - - Bounties need to be requested within twelve months from the publication of - the vulnerability. - - The vulnerabilities must not have been made public before August 1st, 2018. - We do not retroactively pay for old, already known and published security - problems. - -## Product vulnerabilities only - - The bug bounty only concerns the curl and libcurl products and thus their - respective source codes - when running on existing hardware. It does not - include documentation, web sites or other infrastructure. - - The curl security team will be the sole arbiter if a reported flaw can be - subject to a bounty or not. - -## How are vulnerabilities graded - - The grading of each reported vulnerability that makes a reward claim will be - performed by the curl security team. The grading will be based on the CVSS - (Common Vulnerability Scoring System) 3.0. - -## How are reward amounts determined - - The curl security team first gives the vulnerability a score, as mentioned - above, and based on that level the sponsor sets the bounty amount depending - on the specifics of the individual case. - - The bounty fund sponsor is the arbiter of the bounty amount. - -## What happens if the bounty fund is drained - - The bounty fund depends on sponsors. If we pay out more bounties than we add, - the fund will eventually drain. If that end up happening, we will simply not - be able to pay out as high bounties as we would like and hope that we can - convince new sponsors to help us top up the fund again. - -## Regarding taxes etc on the bounties - - In the event that the individual receiving a curl bug bounty needs to pay - taxes on the reward money, that's something for the receiver (and - bountygraph.com?) to work out and handle. The curl project or its security - team never actually receive any of this money, hold the money or pay out the - money. |