git-market/curl-curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-11 12:01:42 +08:00
Code Issues Actions 14 Packages Projects Releases Wiki Activity

BUG-BOUNTY.md: we stop the bug-bounty end of Jan 2026

Browse Source 
Remove mentions of the bounty and hackerone.

Closes #20312
This commit is contained in:
Daniel Stenberg 2026-01-22 09:41:47 +01:00
parent 2da1bbca96
commit ca7ef4b817
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
11 changed files with 36 additions and 133 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
.github/ISSUE_TEMPLATE/bug_report.yml vendored
View File

@ -13,12 +13,7 @@ body:
Only file bugs here! Ask questions on the mailing lists https://curl.se/mail/ Only file bugs here! Ask questions on the mailing lists https://curl.se/mail/
**SECURITY RELATED?** Post it here: https://hackerone.com/curl **SECURITY RELATED?** Submit here: https://github.com/curl/curl/security/advisories
There are collections of known issues to be aware of:
- https://curl.se/docs/knownbugs.html
- https://curl.se/docs/todo.html
- type: textarea - type: textarea
id: reproducer id: reproducer
@ -40,7 +35,7 @@ body:
label: curl/libcurl version label: curl/libcurl version
description: | description: |
Please paste the output of `curl -V` here. Please paste the output of `curl -V` here.
placeholder: 'curl 8.2.0' placeholder: 'curl 8.18.0'
validations: validations:
required: true required: true

8
README
View File

@ -33,18 +33,18 @@ WEBSITE
Visit the curl website for the latest news and downloads: Visit the curl website for the latest news and downloads:
https://curl.se/ https://curl.se/
GIT GIT
To download the latest source code off the GIT server, do this: To download the latest source code off the GIT server, do this:
git clone https://github.com/curl/curl git clone https://github.com/curl/curl
(you will get a directory named curl created, filled with the source code) (you will get a directory named curl created, filled with the source code)
SECURITY PROBLEMS SECURITY PROBLEMS
Report suspected security problems via our HackerOne page and not in public. Report suspected security problems privately and not in public.
https://hackerone.com/curl https://curl.se/dev/vuln-disclosure.html

4
README.md
View File

@ -54,8 +54,8 @@ Download the latest source from the Git server:
## Security problems ## Security problems
Report suspected security problems via [our HackerOne Report suspected security problems
page](https://hackerone.com/curl) and not in public. [privately](https://curl.se/dev/vuln-disclosure.html) and not in public.
## Backers ## Backers

13
SECURITY.md
View File

@ -11,18 +11,19 @@ Read our [Vulnerability Disclosure Policy](docs/VULN-DISCLOSURE-POLICY.md).
## Reporting a Vulnerability ## Reporting a Vulnerability
If you have found or just suspect a security problem somewhere in curl or If you have found or just suspect a security problem somewhere in curl or
libcurl, report it on [HackerOne](https://hackerone.com/curl). libcurl, [report it](https://curl.se/dev/vuln-disclosure.html)!
We treat security issues with confidentiality until controlled and disclosed responsibly. We treat security issues with confidentiality until controlled and disclosed
responsibly.
## OpenSSF Best Practices ## OpenSSF Best Practices
curl has achieved Gold status on the Open Source Security Foundation (OpenSSF) curl has achieved Gold status on the Open Source Security Foundation (OpenSSF)
[Best Practices](https://bestpractices.dev/) (formerly Core Infrastructure [Best Practices](https://bestpractices.dev/) (formerly Core Infrastructure
Initiative Best Practices), reflecting its adherence to rigorous Initiative Best Practices), reflecting its adherence to rigorous security and
security and best practice standards. This achievement highlights curl's best practice standards. This achievement highlights curl's comprehensive
comprehensive documentation, secure development processes, effective change documentation, secure development processes, effective change control
control mechanisms, and strong maintenance routines. Meeting these criteria mechanisms, and strong maintenance routines. Meeting these criteria
demonstrates curl's commitment to security and reliability, ensuring the demonstrates curl's commitment to security and reliability, ensuring the
project's sustainability and trustworthiness. This underscores curl's role as project's sustainability and trustworthiness. This underscores curl's role as
a leader in open-source software practices. More information can be found on a leader in open-source software practices. More information can be found on

89
docs/BUG-BOUNTY.md
View File

@ -6,88 +6,13 @@ SPDX-License-Identifier: curl
# The curl bug bounty # The curl bug bounty
The curl project runs a bug bounty program in association with Up until the end of January 2026 there was a curl bug bounty. It is no more.
[HackerOne](https://www.hackerone.com/) and the [Internet Bug
Bounty](https://internetbugbounty.org/).
## How does it work? The curl project does not offer any rewards for reported bugs or
vulnerabilities. We also do not aid security researchers to get such rewards
for curl problems from other sources either.
Start out by posting your suspected security vulnerability directly to [curl's A bug bounty gives people too strong incentives to find and make up "problems"
HackerOne program](https://hackerone.com/curl). in bad faith that cause overload and abuse.
After you have reported a security issue, it has been deemed credible, and a We still appreciate and value valid vulnerability reports.
patch and advisory has been made public, you may be eligible for a bounty from
this program. See the [Security Process](https://curl.se/dev/secprocess.html)
document for how we work with security issues.
## What are the reward amounts?
The curl project offers monetary compensation for reported and published
security vulnerabilities. The amount of money that is rewarded depends on how
serious the flaw is determined to be.
Since 2021, the Bug Bounty is managed in association with the Internet Bug
Bounty and they set the reward amounts. If it would turn out that they set
amounts that are way lower than we can accept, the curl project intends to
"top up" rewards.
In 2025, typical "Medium" rated vulnerabilities are rewarded 2,500 USD each.
## Who is eligible for a reward?
Everyone and anyone who reports a security problem in a released curl version
that has not already been reported can ask for a bounty.
Dedicated - paid for - security audits that are performed in collaboration
with curl developers are not eligible for bounties.
Vulnerabilities in features that are off by default and documented as
experimental are not eligible for a reward.
The vulnerability has to be fixed and publicly announced (by the curl project)
before a bug bounty is considered.
Once the vulnerability has been published by curl, the researcher can request
their bounty from the [Internet Bug Bounty](https://hackerone.com/ibb).
Bounties need to be requested within twelve months from the publication of the
vulnerability.
The curl security team reserves themselves the right to deny or allow bug
bounty payouts on its own discretion. There is no appeals process.
## Product vulnerabilities only
This bug bounty only concerns the curl and libcurl products and thus their
respective source codes - when running on existing hardware. It does not
include curl documentation, curl websites, or other curl related
infrastructure.
The curl security team is the sole arbiter if a reported flaw is subject to a
bounty or not.
## Third parties
The curl bug bounty does not cover flaws in third party dependencies
(libraries) used by curl or libcurl. If the bug triggers because of curl
behaving wrongly or abusing a third party dependency, the problem is rather in
curl and not in the dependency and then the bounty might cover the problem.
## How are vulnerabilities graded?
The grading of each reported vulnerability that makes a reward claim is
performed by the curl security team. The grading is based on the CVSS (Common
Vulnerability Scoring System) 3.0.
## How are reward amounts determined?
The curl security team gives the vulnerability a score or severity level, as
mentioned above. The actual monetary reward amount is decided and paid by the
Internet Bug Bounty..
## Regarding taxes, etc. on the bounties
In the event that the individual receiving a bug bounty needs to pay taxes on
the reward money, the responsibility lies with the receiver. The curl project
or its security team never actually receive any of this money, hold the money,
or pay out the money.

10
docs/BUGS.md
View File

@ -36,13 +36,11 @@ vulnerable if the bug becomes public knowledge, then please report that bug
using our security development process. using our security development process.
Security related bugs or bugs that are suspected to have a security impact, Security related bugs or bugs that are suspected to have a security impact,
should be reported on the should be reported [privately](https://curl.se/dev/vuln-disclosure.html).
[curl security tracker at HackerOne](https://hackerone.com/curl).
This ensures that the report reaches the curl security team so that they This ensures that the report reaches the curl security team so that they first
first can deal with the report away from the public to minimize the harm and can deal with the report away from the public to minimize the harm and impact
impact it has on existing users out there who might be using the vulnerable it has on existing users out there who might be using the vulnerable versions.
versions.
The curl project's process for handling security related issues is The curl project's process for handling security related issues is
[documented separately](https://curl.se/dev/secprocess.html). [documented separately](https://curl.se/dev/secprocess.html).

2
docs/FAQ.md
View File

@ -169,7 +169,7 @@ the web based archives of the mailing lists), thus saving us from having to
repeat ourselves even more. Thanks for respecting this. repeat ourselves even more. Thanks for respecting this.
If you have found or simply suspect a security problem in curl or libcurl, If you have found or simply suspect a security problem in curl or libcurl,
submit all the details at [HackerOne](https://hackerone.com/curl). On there we [submit all the details to us](https://curl.se/dev/vuln-disclosure.html). We
keep the issue private while we investigate, confirm it, work and validate a keep the issue private while we investigate, confirm it, work and validate a
fix and agree on a time schedule for publication etc. That way we produce a fix and agree on a time schedule for publication etc. That way we produce a
fix in a timely manner before the flaw is announced to the world, reducing the fix in a timely manner before the flaw is announced to the world, reducing the

5
docs/GOVERNANCE.md
View File

@ -46,9 +46,8 @@ the project.
Donating plain money to curl is best done to curl's [Open Collective Donating plain money to curl is best done to curl's [Open Collective
fund](https://opencollective.com/curl). Open Collective is a US based fund](https://opencollective.com/curl). Open Collective is a US based
non-profit organization that holds on to funds for us. This fund is then used non-profit organization that holds on to funds for us. This fund is used to
for paying the curl security bug bounties, to reimburse project related reimburse and pay for project related expenses etc.
expenses etc.
Donations to the project can also come in the form of server hosting, providing Donations to the project can also come in the form of server hosting, providing
services and paying for people to work on curl related code etc. Usually, such services and paying for people to work on curl related code etc. Usually, such

8
docs/INFRASTRUCTURE.md
View File

@ -172,14 +172,6 @@ instances used for this.
We use a few rare additional curl related email aliases in the curl domains. We use a few rare additional curl related email aliases in the curl domains.
They go through the mail server `mail.haxx.se` maintained by Daniel Stenberg They go through the mail server `mail.haxx.se` maintained by Daniel Stenberg
## Bug-bounty
We run a [bug-bounty](https://curl.se/docs/bugbounty.html) on HackerOne. The
setup runs entirely at https://hackerone.com/curl.
The money part for the bug bounty is sponsored by the [Internet Bug
Bounty](https://hackerone.com/ibb).
## Open Collective ## Open Collective
We use [Open Collective](https://opencollective.com/curl) as our "fiscal We use [Open Collective](https://opencollective.com/curl) as our "fiscal

4
docs/SPONSORS.md
View File

@ -17,8 +17,8 @@ two to spend work hours on curl related tasks.
We promise to use donated funds for things and activities that we believe are We promise to use donated funds for things and activities that we believe are
beneficial for the project and its development. That includes but is not beneficial for the project and its development. That includes but is not
limited to bug-bounties, developer conferences, infrastructure, development, limited to developer conferences, infrastructure, development, services and
services and hardware. hardware.
Recurring donations above a certain amount of money puts the sponsor at a Recurring donations above a certain amount of money puts the sponsor at a
named sponsor level: **Silver**, **Gold**, **Platinum** or **Top**. named sponsor level: **Silver**, **Gold**, **Platinum** or **Top**.

17
docs/VULN-DISCLOSURE-POLICY.md
View File

@ -29,9 +29,11 @@ mailing lists. Messages associated with any commits should not make any
reference to the security nature of the commit if done prior to the public reference to the security nature of the commit if done prior to the public
announcement. announcement.
- The person discovering the issue, the reporter, reports the vulnerability on - The person discovering the issue, the reporter, reports the vulnerability to
[HackerOne](https://hackerone.com/curl). Issues filed there reach a handful the curl project. Do this [on
of selected and trusted people. GitHub](https://github.com/curl/curl/security/advisories) or send an email
to `security at curl.se`. Such submissions reach a handful of selected and
trusted people.
- Messages that do not relate to the reporting or managing of an undisclosed - Messages that do not relate to the reporting or managing of an undisclosed
security vulnerability in curl or libcurl are ignored and no further action security vulnerability in curl or libcurl are ignored and no further action
@ -76,10 +78,6 @@ announcement.
repository via a normal PR - but without mentioning it being a security repository via a normal PR - but without mentioning it being a security
vulnerability. vulnerability.
- The monetary reward part of the bug-bounty is managed by the Internet Bug
Bounty team and the reporter is asked to request the reward from them after
the issue has been completely handled and published by curl.
- No more than seven days before release, inform - No more than seven days before release, inform
[distros@openwall](https://oss-security.openwall.org/wiki/mailing-lists/distros) [distros@openwall](https://oss-security.openwall.org/wiki/mailing-lists/distros)
to prepare them about the upcoming public security vulnerability to prepare them about the upcoming public security vulnerability
@ -144,11 +142,6 @@ has been published.
*All* reports submitted to the project, valid or not, should be disclosed and *All* reports submitted to the project, valid or not, should be disclosed and
made public. made public.
## Bug Bounty
See [BUG-BOUNTY](https://curl.se/docs/bugbounty.html) for details on the
bug bounty program.
# Severity levels # Severity levels
The curl project's security team rates security problems using four severity The curl project's security team rates security problems using four severity