summaryrefslogtreecommitdiff
path: root/docs/BUG-BOUNTY.md
blob: 813cc5fc16dd957084832cc0433f3c934dc5d423 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
# The curl bug bounty

 The curl project runs a bug bounty program in association with
 bountygraph.com.

 After you have reported a security issue to the curl project, it has been
 deemed credible and a patch and advisory has been made public you can be
 eligible for a bounty from this program.

 See all details at https://bountygraph.com/programs/curl

 This bounty is relying on funds from sponsors. If you use curl professionally,
 consider help funding this!

## How much money is the bounty at

 The curl projects offer monetary compensation for reported and published
 security vulnerabilities. The amount of money rewarded depends on how serious
 the flaw is determined to be.

 We offer reward money *up to* these amounts. The curl security team will
 solely and exclusively determine the exact amount for each reported flaw on a
 case by case basis and keep the rights to adjust the amount as it sees fit.

 - Low      USD 500
 - Medium   USD 1,000
 - High     USD 5,000
 - Critical USD 10,000

## Who's eligible for a reward

 Everyone and anyone who reports a security problem in a released curl version
 that hasn't already been reported can ask for a bounty.

 The vulnerability has to be fixed and publicly announced (by the curl
 project) before a bug bounty will be considered.

 Bounties need to be requested within twelve months from the publication of
 the vulnerability.

 The vulnerabilities must not have been made public before August 1st, 2018.
 We do not retroactively pay for old, already known and published security
 problems.

## Product vulnerabilities only

 The bug bounty only concerns the curl and libcurl products and thus their
 respective source codes - when running on existing hardware. It does not
 include documentation, web sites or other infrastructure.

 The curl security team will be the sole arbiter if a reported flaw can be
 subject to a bounty or not.

## How are vulnerabilities graded

 The grading of each reported vulnerability that makes a reward claim will be
 performed by the curl security team. The grading will be based on the CVSS
 (Common Vulnerability Scoring System) 3.0.

## How are reward amounts determined

 The curl security team first gives the vulnerability a score, as mentioned
 above, and based on that level the team may increase or decrease the bounty
 amount from the general template depending on the specifics of the individual
 case.

 The curl security team will be the sole arbiter of the bounty amount.

## What happens if the bounty fund is drained

 The bounty fund depends on sponsors. If we pay out more bounties than we add,
 the fund will eventually drain. If that end up happening, we will simply not
 be able to pay out as high bounties as we would like and hope that we can
 convince new sponsors to help us top up the fund again.

## Regarding taxes etc on the bounties

 In the event that the individual receiving a curl bug bounty needs to pay
 taxes on the reward money, that's something for the receiver (and
 bountygraph.com?) to work out and handle. The curl project or its security
 team never actually receive any of this money, hold the money or pay out the
 money.