[BACK]Return to BUG-BOUNTY.md CVS log [TXT] [DIR] Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / curl / docs
File:  [ELWIX - Embedded LightWeight unIX -] / embedaddon / curl / docs / BUG-BOUNTY.md
Revision 1.1.1.1 (vendor branch): download - view: text, annotated - select for diffs - revision graph
Wed Jun 3 10:01:15 2020 UTC (4 years, 10 months ago) by misho
Branches: curl, MAIN
CVS tags: v7_70_0p4, HEAD
curl

    1: # The curl bug bounty
    2: 
    3: The curl project runs a bug bounty program in association with
    4: [HackerOne](https://www.hackerone.com) and the [Internet Bug
    5: Bounty](https://internetbugbounty.org).
    6: 
    7: # How does it work?
    8: 
    9: Start out by posting your suspected security vulnerability directly to [curl's
   10: HackerOne program](https://hackerone.com/curl).
   11: 
   12: After you have reported a security issue, it has been deemed credible, and a
   13: patch and advisory has been made public, you may be eligible for a bounty from
   14: this program.
   15: 
   16: See all details at [https://hackerone.com/curl](https://hackerone.com/curl)
   17: 
   18: This bounty is relying on funds from sponsors. If you use curl professionally,
   19: consider help funding this! See
   20: [https://opencollective.com/curl](https://opencollective.com/curl) for
   21: details.
   22: 
   23: # What are the reward amounts?
   24: 
   25: The curl projects offer monetary compensation for reported and published
   26: security vulnerabilities. The amount of money that is rewarded depends on how
   27: serious the flaw is determined to be.
   28: 
   29: We offer reward money *up to* a certain amount per severity. The curl security
   30: team determines the severity of each reported flaw on a case by case basis and
   31: the exact amount rewarded to the reporter is then decided.
   32: 
   33: Check out the current award amounts at [https://hackerone.com/curl](https://hackerone.com/curl)
   34: 
   35: # Who is eligible for a reward?
   36: 
   37: Everyone and anyone who reports a security problem in a released curl version
   38: that hasn't already been reported can ask for a bounty.
   39: 
   40: Vulnerabilities in features that are off by default and documented as
   41: experimental are not eligible for a reward.
   42: 
   43: The vulnerability has to be fixed and publicly announced (by the curl project)
   44: before a bug bounty will be considered.
   45: 
   46: Bounties need to be requested within twelve months from the publication of the
   47: vulnerability.
   48: 
   49: The vulnerabilities must not have been made public before February 1st, 2019.
   50: We do not retroactively pay for old, already known, or published security
   51: problems.
   52: 
   53: # Product vulnerabilities only
   54: 
   55: This bug bounty only concerns the curl and libcurl products and thus their
   56: respective source codes - when running on existing hardware. It does not
   57: include documentation, websites, or other infrastructure.
   58: 
   59: The curl security team will be the sole arbiter if a reported flaw can be
   60: subject to a bounty or not.
   61: 
   62: # How are vulnerabilities graded?
   63: 
   64: The grading of each reported vulnerability that makes a reward claim will be
   65: performed by the curl security team. The grading will be based on the CVSS
   66: (Common Vulnerability Scoring System) 3.0.
   67: 
   68: # How are reward amounts determined?
   69: 
   70: The curl security team first gives the vulnerability a score, as mentioned
   71: above, and based on that level we set an amount depending on the specifics of
   72: the individual case. Other sponsors of the program might also get involved and
   73: can raise the amounts depending on the particular issue.
   74: 
   75: # What happens if the bounty fund is drained?
   76: 
   77: The bounty fund depends on sponsors. If we pay out more bounties than we add,
   78: the fund will eventually drain. If that end up happening, we will simply not
   79: be able to pay out as high bounties as we would like and hope that we can
   80: convince new sponsors to help us top up the fund again.
   81: 
   82: # Regarding taxes, etc. on the bounties
   83: 
   84: In the event that the individual receiving a curl bug bounty needs to pay
   85: taxes on the reward money, the responsibility lies with the receiver. The
   86: curl project or its security team never actually receive any of this money,
   87: hold the money, or pay out the money.
   88: 
   89: ## Bonus levels
   90: 
   91: In cooperation with [Dropbox](https://www.dropbox.com) the curl bug bounty can
   92: offer the highest levels of rewards if the issue covers one of the interest
   93: areas of theirs - and only if the bug is graded *high* or *critical*. A
   94: non-exhaustive list of vulnerabilities Dropbox is interested in are:
   95: 
   96:  - RCE
   97:  - URL parsing vulnerabilities with demonstrable security impact
   98: 
   99: Dropbox would generally hand out rewards for critical vulnerabilities ranging
  100: from 12k-32k USD where RCE is on the upper end of the spectrum.
  101: 
  102: URL parsing vulnerabilities with demonstrable security impact might include
  103: incorrectly determining the authority of a URL when a special character is
  104: inserted into the path of the URL (as a hypothetical). This type of
  105: vulnerability would likely yield 6k-12k unless further impact could be
  106: demonstrated.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>