After you have reported a security issue, it has been deemed credible, and a
patch and advisory has been made public, you may be eligible for a bounty from
-this program. See the [SECURITY-PROCESS](SECURITY-PROCESS.md) document for how
-we work with security issues.
+this program. See the [Security Process](https://curl.se/dev/secprocess.html)
+document for how we work with security issues.
## What are the reward amounts?
# Anatomy of a curl security advisory
-As described in the `SECURITY-PROCESS.md` document, when a security
-vulnerability has been reported to the project and confirmed, we author an
-advisory document for for the issue. It should ideally be written in
-cooperation with the reporter to make sure all the angles and details of the
-problem are gathered and described correctly and succinctly.
+As described in the [Security Process](https://curl.se/dev/secprocess.html)
+document, when a security vulnerability has been reported to the project and
+confirmed, we author an advisory document for for the issue. It should ideally
+be written in cooperation with the reporter to make sure all the angles and
+details of the problem are gathered and described correctly and succinctly.
## New document
problem is, its impact, which versions it affects, solutions or workarounds,
when the release is out and make sure to credit all contributors properly.
Figure out the CWE (Common Weakness Enumeration) number for the flaw. See
- [SECURITY-ADVISORY](SECURITY-ADVISORY.md) for help on creating the advisory.
+ [SECURITY-ADVISORY](https://curl.se/dev/advisory.html) for help on creating
+ the advisory.
- Request a CVE number from
[HackerOne](https://docs.hackerone.com/programs/cve-requests.html)
projects / thirdparty / curl.git / commitdiff
