summaryrefslogtreecommitdiff
path: root/docs/BUG-BOUNTY.md
diff options
context:
space:
mode:
Diffstat (limited to 'docs/BUG-BOUNTY.md')
-rw-r--r--docs/BUG-BOUNTY.md89
1 files changed, 89 insertions, 0 deletions
diff --git a/docs/BUG-BOUNTY.md b/docs/BUG-BOUNTY.md
new file mode 100644
index 000000000..5927762d2
--- /dev/null
+++ b/docs/BUG-BOUNTY.md
@@ -0,0 +1,89 @@
+# The curl bug bounty
+
+The curl project runs a bug bounty program in association with
+[HackerOne](https://www.hackerone.com/).
+
+# How does it work?
+
+Start out by posting your suspected security vulnerability directly to [curl's
+hackerone security bug tracker](https://www.hackerone.com/curl).
+
+After you have reported a security issue, it has been deemed credible and a
+patch and advisory has been made public you can be eligible for a bounty from
+this program.
+
+See all details at [https://hackerone.com/curl](https://hackerone.com/curl)
+
+This bounty is relying on funds from sponsors. If you use curl professionally,
+consider help funding this!
+
+# How much money is the bounty at
+
+The curl projects offer monetary compensation for reported and published
+security vulnerabilities. The amount of money that is rewarded depends on how
+serious the flaw is determined to be.
+
+We offer reward money *up to* a certain amount per severity. The curl security
+team determines the severity of each reported flaw on a case by case basis and
+the exact amount rewarded to the reporter is then decided.
+
+At the start of the program, the award amounts are:
+
+ Critical: 2,000 USD
+ High: 1,500 USD
+ Medium: 1,000 USD
+ Low: 500 USD
+
+# Who's eligible for a reward
+
+Everyone and anyone who reports a security problem in a released curl version
+that hasn't already been reported can ask for a bounty.
+
+Vulnerabilities in features which are off by default and documented as
+experimental, are not eligible for a reward.
+
+The vulnerability has to be fixed and publicly announced (by the curl project)
+before a bug bounty will be considered.
+
+Bounties need to be requested within twelve months from the publication of the
+vulnerability.
+
+The vulnerabilities must not have been made public before February 1st, 2019.
+We do not retroactively pay for old, already known and published security
+problems.
+
+# Product vulnerabilities only
+
+This bug bounty only concerns the curl and libcurl products and thus their
+respective source codes - when running on existing hardware. It does not
+include documentation, web sites or other infrastructure.
+
+The curl security team will be the sole arbiter if a reported flaw can be
+subject to a bounty or not.
+
+# How are vulnerabilities graded
+
+The grading of each reported vulnerability that makes a reward claim will be
+performed by the curl security team. The grading will be based on the CVSS
+(Common Vulnerability Scoring System) 3.0.
+
+# How are reward amounts determined
+
+The curl security team first gives the vulnerability a score, as mentioned
+above, and based on that level we set an amount depending on the specifics of
+the individual case. Other sponsors of the program might also get involved and
+can raise the amounts depending on the particular issue.
+
+# What happens if the bounty fund is drained
+
+The bounty fund depends on sponsors. If we pay out more bounties than we add,
+the fund will eventually drain. If that end up happening, we will simply not
+be able to pay out as high bounties as we would like and hope that we can
+convince new sponsors to help us top up the fund again.
+
+# Regarding taxes etc on the bounties
+
+In the event that the individual receiving a curl bug bounty needs to pay
+taxes on the reward money, that's something for the receiver to work out and
+handle together with hackerone. The curl project or its security team never
+actually receive any of this money, hold the money or pay out the money.
View Lorry Controller Status