BUG-BOUNTY.md: clarify that the curl security team decides

author Daniel Stenberg <daniel@haxx.se>

Thu, 22 Feb 2024 15:34:35 +0000 (16:34 +0100)

committer Daniel Stenberg <daniel@haxx.se>

Fri, 23 Feb 2024 09:29:45 +0000 (10:29 +0100)
author Daniel Stenberg <daniel@haxx.se>
Thu, 22 Feb 2024 15:34:35 +0000 (16:34 +0100)
committer Daniel Stenberg <daniel@haxx.se>
Fri, 23 Feb 2024 09:29:45 +0000 (10:29 +0100)
diff --git a/docs/BUG-BOUNTY.md b/docs/BUG-BOUNTY.md

index 3714efda524550bfad9294019edbcf27560db2a9..f3fc1d82372a81f9ca20b943c5bdd7fdad5fe02f 100644 (file)
--- a/docs/BUG-BOUNTY.md
+++ b/docs/BUG-BOUNTY.md
@@ -48,6 +48,9 @@ their bounty from the [Internet Bug Bounty](https://hackerone.com/ibb).
  Bounties need to be requested within twelve months from the publication of the
  vulnerability.
  
+The curl security team reserves themselves the right to deny or allow bug
+bounty payouts on its own discretion. There is no appeals process.
+
  ## Product vulnerabilities only
  
  This bug bounty only concerns the curl and libcurl products and thus their
author	Daniel Stenberg <daniel@haxx.se>
	Thu, 22 Feb 2024 15:34:35 +0000 (16:34 +0100)
committer	Daniel Stenberg <daniel@haxx.se>
	Fri, 23 Feb 2024 09:29:45 +0000 (10:29 +0100)