Вы не можете выбрать более 25 тем
Темы должны начинаться с буквы или цифры, могут содержать дефисы(-) и должны содержать не более 35 символов.
74 строки
2.9 KiB
Markdown
74 строки
2.9 KiB
Markdown
# The curl bug bounty
|
|
|
|
The curl project runs a bug bounty program in association with
|
|
[HackerOne](https://www.hackerone.com) and the [Internet Bug
|
|
Bounty](https://internetbugbounty.org).
|
|
|
|
# How does it work?
|
|
|
|
Start out by posting your suspected security vulnerability directly to [curl's
|
|
HackerOne program](https://hackerone.com/curl).
|
|
|
|
After you have reported a security issue, it has been deemed credible, and a
|
|
patch and advisory has been made public, you may be eligible for a bounty from
|
|
this program. See the [SECURITY-PROCESS](SECURITY-PROCESS.md) document for how
|
|
we work with security issues.
|
|
|
|
# What are the reward amounts?
|
|
|
|
The curl project offers monetary compensation for reported and published
|
|
security vulnerabilities. The amount of money that is rewarded depends on how
|
|
serious the flaw is determined to be.
|
|
|
|
Since 2021, the Bug Bounty is managed in association with the Internet Bug
|
|
Bounty and they will set the reward amounts. If it would turn out that they
|
|
set amounts that are way lower than we can accept, the curl project intends to
|
|
"top up" rewards.
|
|
|
|
# Who is eligible for a reward?
|
|
|
|
Everyone and anyone who reports a security problem in a released curl version
|
|
that has not already been reported can ask for a bounty.
|
|
|
|
Vulnerabilities in features that are off by default and documented as
|
|
experimental are not eligible for a reward.
|
|
|
|
The vulnerability has to be fixed and publicly announced (by the curl project)
|
|
before a bug bounty will be considered.
|
|
|
|
Once the vulnerability has been published by curl, the researcher can request
|
|
their bounty from the [Internet Bug Bounty](https://hackerone.com/ibb).
|
|
|
|
Bounties need to be requested within twelve months from the publication of the
|
|
vulnerability.
|
|
|
|
# Product vulnerabilities only
|
|
|
|
This bug bounty only concerns the curl and libcurl products and thus their
|
|
respective source codes - when running on existing hardware. It does not
|
|
include curl documentation, curl websites, or other curl related
|
|
infrastructure.
|
|
|
|
The curl security team is the sole arbiter if a reported flaw is subject to a
|
|
bounty or not.
|
|
|
|
# How are vulnerabilities graded?
|
|
|
|
The grading of each reported vulnerability that makes a reward claim will be
|
|
performed by the curl security team. The grading will be based on the CVSS
|
|
(Common Vulnerability Scoring System) 3.0.
|
|
|
|
# How are reward amounts determined?
|
|
|
|
The curl security team first gives the vulnerability a score, as mentioned
|
|
above, and based on that level we set an amount depending on the specifics of
|
|
the individual case. Other sponsors of the program might also get involved and
|
|
can raise the amounts depending on the particular issue.
|
|
|
|
# Regarding taxes, etc. on the bounties
|
|
|
|
In the event that the individual receiving a bug bounty needs to pay taxes on
|
|
the reward money, the responsibility lies with the receiver. The curl project
|
|
or its security team never actually receive any of this money, hold the money,
|
|
or pay out the money.
|