From 3cf86508fdc3f54bb2a3f42c8c0bd464ea39883d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 23 Feb 2026 11:31:18 +0100 Subject: [PATCH] VULN-DISCLOSURE-POLICY.md: use hackerone - bug_report.yml: use hackerone Closes #20683 --- .github/ISSUE_TEMPLATE/bug_report.yml | 2 +- docs/VULN-DISCLOSURE-POLICY.md | 24 +++--------------------- 2 files changed, 4 insertions(+), 22 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml index 0bcfd2dab4..c2b79901af 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yml +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -13,7 +13,7 @@ body: Only file bugs here! Ask questions on the mailing lists https://curl.se/mail/ - **SECURITY RELATED?** Submit here: https://github.com/curl/curl/security/advisories + **SECURITY RELATED?** Submit here: https://hackerone.com/curl - type: textarea id: reproducer diff --git a/docs/VULN-DISCLOSURE-POLICY.md b/docs/VULN-DISCLOSURE-POLICY.md index f9555320d7..e6562bc1a2 100644 --- a/docs/VULN-DISCLOSURE-POLICY.md +++ b/docs/VULN-DISCLOSURE-POLICY.md @@ -29,10 +29,9 @@ mailing lists. Messages associated with any commits should not make any reference to the security nature of the commit if done prior to the public announcement. -- The person discovering the issue, the reporter, reports the vulnerability to - the curl project. Do this [on - GitHub](https://github.com/curl/curl/security/advisories). Such submissions - reach a handful of selected and trusted people. +- The person discovering the issue, the reporter, reports the vulnerability on + [HackerOne](https://hackerone.com/curl). Issues filed there reach a handful + of selected and trusted people. - Messages that do not relate to the reporting or managing of an undisclosed security vulnerability in curl or libcurl are ignored and no further action @@ -99,23 +98,6 @@ announcement. - The security webpage on the website should get the new vulnerability mentioned. -## GitHub Advisories - -We receive *advisories* submitted on GitHub but we consider them to be -*reports*. Since we want to keep the original report as-is and preserved, we -cannot use this system to author nor publish the actual final advisory for a -confirmed vulnerability. - -The security reports submitted on GitHub are not published, instead they are -always closed weather confirmed or not. - -Confirmed security reports are instead published as security advisories on the -curl website in sync with the curl release in which the fix is published for -the vulnerability. - -Unfortunately, GitHub does not allow us to disclose the reports. They can only -be published as "advisories" - and they are not. - ## security (at curl dot se) This is a private mailing list for discussions on and about curl security