git-market/curl-curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-11 12:01:42 +08:00
Code Issues Actions 14 Packages Projects Releases Wiki Activity

VULN-DISCLOSURE-POLICY.md: use hackerone

Browse Source 
- bug_report.yml: use hackerone

Closes #20683
This commit is contained in:
Daniel Stenberg 2026-02-23 11:31:18 +01:00
parent 26eddf002f
commit 3cf86508fd
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
2 changed files with 4 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/ISSUE_TEMPLATE/bug_report.yml vendored
View File

@ -13,7 +13,7 @@ body:
Only file bugs here! Ask questions on the mailing lists https://curl.se/mail/
**SECURITY RELATED?** Submit here: https://github.com/curl/curl/security/advisories
**SECURITY RELATED?** Submit here: https://hackerone.com/curl
- type: textarea
id: reproducer

24
docs/VULN-DISCLOSURE-POLICY.md
View File

@ -29,10 +29,9 @@ mailing lists. Messages associated with any commits should not make any
reference to the security nature of the commit if done prior to the public
announcement.
- The person discovering the issue, the reporter, reports the vulnerability to
the curl project. Do this [on
GitHub](https://github.com/curl/curl/security/advisories). Such submissions
reach a handful of selected and trusted people.
- The person discovering the issue, the reporter, reports the vulnerability on
[HackerOne](https://hackerone.com/curl). Issues filed there reach a handful
of selected and trusted people.
- Messages that do not relate to the reporting or managing of an undisclosed
security vulnerability in curl or libcurl are ignored and no further action
@ -99,23 +98,6 @@ announcement.
- The security webpage on the website should get the new vulnerability
mentioned.
## GitHub Advisories
We receive *advisories* submitted on GitHub but we consider them to be
*reports*. Since we want to keep the original report as-is and preserved, we
cannot use this system to author nor publish the actual final advisory for a
confirmed vulnerability.
The security reports submitted on GitHub are not published, instead they are
always closed weather confirmed or not.
Confirmed security reports are instead published as security advisories on the
curl website in sync with the curl release in which the fix is published for
the vulnerability.
Unfortunately, GitHub does not allow us to disclose the reports. They can only
be published as "advisories" - and they are not.
## security (at curl dot se)
This is a private mailing list for discussions on and about curl security