From 10e4dd6a7b3b2bc512223c4d94607f12443aab9f Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sat, 20 Apr 2019 12:19:47 +0200 Subject: docs/BUG-BOUNTY: bug bounty time [skip ci] Introducing the curl bug bounty program on hackerone. We now recommend filing security issues directly in the hackerone ticket system which only is readable to curl security team members. Assisted-by: Daniel Gustafsson Closes #3488 --- docs/BUGS | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'docs/BUGS') diff --git a/docs/BUGS b/docs/BUGS index 7322d9b21..480e0caec 100644 --- a/docs/BUGS +++ b/docs/BUGS @@ -61,9 +61,14 @@ BUGS using our security development process. Security related bugs or bugs that are suspected to have a security impact, - should be reported by email to curl-security@haxx.se so that they first can - be dealt with away from the public to minimize the harm and impact it will - have on existing users out there who might be using the vulnerable versions. + should be reported on the curl security tracker at HackerOne: + + https://hackerone.com/curl + + This ensures that the report reaches the curl security team so that they + first can be deal with the report away from the public to minimize the harm + and impact it will have on existing users out there who might be using the + vulnerable versions. The curl project's process for handling security related issues is documented here: -- cgit v1.2.1