From db1338474c699a95f824d525c210a3590c6f2554 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sat, 20 Oct 2018 10:54:19 +0200 Subject: docs/BUG-BOUNTY: the sponsors actually decide the amount Retract the previous approach as the sponsors will be the ones to set the final amounts. Closes #3152 [ci skip] --- docs/BUG-BOUNTY.md | 22 ++++++++-------------- 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/docs/BUG-BOUNTY.md b/docs/BUG-BOUNTY.md index 813cc5fc1..0c881b83f 100644 --- a/docs/BUG-BOUNTY.md +++ b/docs/BUG-BOUNTY.md @@ -15,17 +15,12 @@ ## How much money is the bounty at The curl projects offer monetary compensation for reported and published - security vulnerabilities. The amount of money rewarded depends on how serious - the flaw is determined to be. + security vulnerabilities. The amount of money that is rewarded depends on how + serious the flaw is determined to be. - We offer reward money *up to* these amounts. The curl security team will - solely and exclusively determine the exact amount for each reported flaw on a - case by case basis and keep the rights to adjust the amount as it sees fit. - - - Low USD 500 - - Medium USD 1,000 - - High USD 5,000 - - Critical USD 10,000 + We offer reward money *up to* the total amount of the fund. The curl security + team determines the severity of each reported flaw on a case by case basis + and the exact amount rewarded to the reporter is then decided by the sponsor. ## Who's eligible for a reward @@ -60,11 +55,10 @@ ## How are reward amounts determined The curl security team first gives the vulnerability a score, as mentioned - above, and based on that level the team may increase or decrease the bounty - amount from the general template depending on the specifics of the individual - case. + above, and based on that level the sponsor sets the bounty amount depending + on the specifics of the individual case. - The curl security team will be the sole arbiter of the bounty amount. + The bounty fund sponsor is the arbiter of the bounty amount. ## What happens if the bounty fund is drained -- cgit v1.2.1