Annotation of embedaddon/curl/docs/BUG-BOUNTY.md, revision 1.1.1.1
1.1 misho 1: # The curl bug bounty
2:
3: The curl project runs a bug bounty program in association with
4: [HackerOne](https://www.hackerone.com) and the [Internet Bug
5: Bounty](https://internetbugbounty.org).
6:
7: # How does it work?
8:
9: Start out by posting your suspected security vulnerability directly to [curl's
10: HackerOne program](https://hackerone.com/curl).
11:
12: After you have reported a security issue, it has been deemed credible, and a
13: patch and advisory has been made public, you may be eligible for a bounty from
14: this program.
15:
16: See all details at [https://hackerone.com/curl](https://hackerone.com/curl)
17:
18: This bounty is relying on funds from sponsors. If you use curl professionally,
19: consider help funding this! See
20: [https://opencollective.com/curl](https://opencollective.com/curl) for
21: details.
22:
23: # What are the reward amounts?
24:
25: The curl projects offer monetary compensation for reported and published
26: security vulnerabilities. The amount of money that is rewarded depends on how
27: serious the flaw is determined to be.
28:
29: We offer reward money *up to* a certain amount per severity. The curl security
30: team determines the severity of each reported flaw on a case by case basis and
31: the exact amount rewarded to the reporter is then decided.
32:
33: Check out the current award amounts at [https://hackerone.com/curl](https://hackerone.com/curl)
34:
35: # Who is eligible for a reward?
36:
37: Everyone and anyone who reports a security problem in a released curl version
38: that hasn't already been reported can ask for a bounty.
39:
40: Vulnerabilities in features that are off by default and documented as
41: experimental are not eligible for a reward.
42:
43: The vulnerability has to be fixed and publicly announced (by the curl project)
44: before a bug bounty will be considered.
45:
46: Bounties need to be requested within twelve months from the publication of the
47: vulnerability.
48:
49: The vulnerabilities must not have been made public before February 1st, 2019.
50: We do not retroactively pay for old, already known, or published security
51: problems.
52:
53: # Product vulnerabilities only
54:
55: This bug bounty only concerns the curl and libcurl products and thus their
56: respective source codes - when running on existing hardware. It does not
57: include documentation, websites, or other infrastructure.
58:
59: The curl security team will be the sole arbiter if a reported flaw can be
60: subject to a bounty or not.
61:
62: # How are vulnerabilities graded?
63:
64: The grading of each reported vulnerability that makes a reward claim will be
65: performed by the curl security team. The grading will be based on the CVSS
66: (Common Vulnerability Scoring System) 3.0.
67:
68: # How are reward amounts determined?
69:
70: The curl security team first gives the vulnerability a score, as mentioned
71: above, and based on that level we set an amount depending on the specifics of
72: the individual case. Other sponsors of the program might also get involved and
73: can raise the amounts depending on the particular issue.
74:
75: # What happens if the bounty fund is drained?
76:
77: The bounty fund depends on sponsors. If we pay out more bounties than we add,
78: the fund will eventually drain. If that end up happening, we will simply not
79: be able to pay out as high bounties as we would like and hope that we can
80: convince new sponsors to help us top up the fund again.
81:
82: # Regarding taxes, etc. on the bounties
83:
84: In the event that the individual receiving a curl bug bounty needs to pay
85: taxes on the reward money, the responsibility lies with the receiver. The
86: curl project or its security team never actually receive any of this money,
87: hold the money, or pay out the money.
88:
89: ## Bonus levels
90:
91: In cooperation with [Dropbox](https://www.dropbox.com) the curl bug bounty can
92: offer the highest levels of rewards if the issue covers one of the interest
93: areas of theirs - and only if the bug is graded *high* or *critical*. A
94: non-exhaustive list of vulnerabilities Dropbox is interested in are:
95:
96: - RCE
97: - URL parsing vulnerabilities with demonstrable security impact
98:
99: Dropbox would generally hand out rewards for critical vulnerabilities ranging
100: from 12k-32k USD where RCE is on the upper end of the spectrum.
101:
102: URL parsing vulnerabilities with demonstrable security impact might include
103: incorrectly determining the authority of a URL when a special character is
104: inserted into the path of the URL (as a hypothetical). This type of
105: vulnerability would likely yield 6k-12k unless further impact could be
106: demonstrated.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to BUG-BOUNTY.md CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / curl / docs