From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 8 May 2024 09:45:37 +0000 (+0200)
Subject: BUG-BOUNTY.md: clarify the third party situation
X-Git-Tag: curl-8_8_0~60
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=87b6fe1695e4c075fb8e3b9dcc61de87e56a1c28;p=thirdparty%2Fcurl.git

BUG-BOUNTY.md: clarify the third party situation

We do not pay bounties for problems in other libraries.

Closes #13560
---

diff --git a/docs/BUG-BOUNTY.md b/docs/BUG-BOUNTY.md
index d533af9442..399c4cfe1e 100644
--- a/docs/BUG-BOUNTY.md
+++ b/docs/BUG-BOUNTY.md
@@ -67,6 +67,13 @@ infrastructure.
 The curl security team is the sole arbiter if a reported flaw is subject to a
 bounty or not.
 
+## Third parties
+
+The curl bug bounty does not cover flaws in third party dependencies
+(libraries) used by curl or libcurl. If the bug triggers because of curl
+behaving wrongly or abusing a third party dependency, the problem is rather in
+curl and not in the dependency and then the bounty might cover the problem.
+
 ## How are vulnerabilities graded?
 
 The grading of each reported vulnerability that makes a reward claim is