Annotation of embedaddon/curl/docs/BUG-BOUNTY.md, revision 1.1
1.1 ! misho 1: # The curl bug bounty
! 2:
! 3: The curl project runs a bug bounty program in association with
! 4: [HackerOne](https://www.hackerone.com) and the [Internet Bug
! 5: Bounty](https://internetbugbounty.org).
! 6:
! 7: # How does it work?
! 8:
! 9: Start out by posting your suspected security vulnerability directly to [curl's
! 10: HackerOne program](https://hackerone.com/curl).
! 11:
! 12: After you have reported a security issue, it has been deemed credible, and a
! 13: patch and advisory has been made public, you may be eligible for a bounty from
! 14: this program.
! 15:
! 16: See all details at [https://hackerone.com/curl](https://hackerone.com/curl)
! 17:
! 18: This bounty is relying on funds from sponsors. If you use curl professionally,
! 19: consider help funding this! See
! 20: [https://opencollective.com/curl](https://opencollective.com/curl) for
! 21: details.
! 22:
! 23: # What are the reward amounts?
! 24:
! 25: The curl projects offer monetary compensation for reported and published
! 26: security vulnerabilities. The amount of money that is rewarded depends on how
! 27: serious the flaw is determined to be.
! 28:
! 29: We offer reward money *up to* a certain amount per severity. The curl security
! 30: team determines the severity of each reported flaw on a case by case basis and
! 31: the exact amount rewarded to the reporter is then decided.
! 32:
! 33: Check out the current award amounts at [https://hackerone.com/curl](https://hackerone.com/curl)
! 34:
! 35: # Who is eligible for a reward?
! 36:
! 37: Everyone and anyone who reports a security problem in a released curl version
! 38: that hasn't already been reported can ask for a bounty.
! 39:
! 40: Vulnerabilities in features that are off by default and documented as
! 41: experimental are not eligible for a reward.
! 42:
! 43: The vulnerability has to be fixed and publicly announced (by the curl project)
! 44: before a bug bounty will be considered.
! 45:
! 46: Bounties need to be requested within twelve months from the publication of the
! 47: vulnerability.
! 48:
! 49: The vulnerabilities must not have been made public before February 1st, 2019.
! 50: We do not retroactively pay for old, already known, or published security
! 51: problems.
! 52:
! 53: # Product vulnerabilities only
! 54:
! 55: This bug bounty only concerns the curl and libcurl products and thus their
! 56: respective source codes - when running on existing hardware. It does not
! 57: include documentation, websites, or other infrastructure.
! 58:
! 59: The curl security team will be the sole arbiter if a reported flaw can be
! 60: subject to a bounty or not.
! 61:
! 62: # How are vulnerabilities graded?
! 63:
! 64: The grading of each reported vulnerability that makes a reward claim will be
! 65: performed by the curl security team. The grading will be based on the CVSS
! 66: (Common Vulnerability Scoring System) 3.0.
! 67:
! 68: # How are reward amounts determined?
! 69:
! 70: The curl security team first gives the vulnerability a score, as mentioned
! 71: above, and based on that level we set an amount depending on the specifics of
! 72: the individual case. Other sponsors of the program might also get involved and
! 73: can raise the amounts depending on the particular issue.
! 74:
! 75: # What happens if the bounty fund is drained?
! 76:
! 77: The bounty fund depends on sponsors. If we pay out more bounties than we add,
! 78: the fund will eventually drain. If that end up happening, we will simply not
! 79: be able to pay out as high bounties as we would like and hope that we can
! 80: convince new sponsors to help us top up the fund again.
! 81:
! 82: # Regarding taxes, etc. on the bounties
! 83:
! 84: In the event that the individual receiving a curl bug bounty needs to pay
! 85: taxes on the reward money, the responsibility lies with the receiver. The
! 86: curl project or its security team never actually receive any of this money,
! 87: hold the money, or pay out the money.
! 88:
! 89: ## Bonus levels
! 90:
! 91: In cooperation with [Dropbox](https://www.dropbox.com) the curl bug bounty can
! 92: offer the highest levels of rewards if the issue covers one of the interest
! 93: areas of theirs - and only if the bug is graded *high* or *critical*. A
! 94: non-exhaustive list of vulnerabilities Dropbox is interested in are:
! 95:
! 96: - RCE
! 97: - URL parsing vulnerabilities with demonstrable security impact
! 98:
! 99: Dropbox would generally hand out rewards for critical vulnerabilities ranging
! 100: from 12k-32k USD where RCE is on the upper end of the spectrum.
! 101:
! 102: URL parsing vulnerabilities with demonstrable security impact might include
! 103: incorrectly determining the authority of a URL when a special character is
! 104: inserted into the path of the URL (as a hypothetical). This type of
! 105: vulnerability would likely yield 6k-12k unless further impact could be
! 106: demonstrated.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to BUG-BOUNTY.md CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / curl / docs