From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 22 Feb 2024 15:34:35 +0000 (+0100)
Subject: BUG-BOUNTY.md: clarify that the curl security team decides
X-Git-Tag: curl-8_7_0~147
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8dbc3c7a6bd5288ec1ba873620aafda5e27508f8;p=thirdparty%2Fcurl.git

BUG-BOUNTY.md: clarify that the curl security team decides

Closes #12975
---

diff --git a/docs/BUG-BOUNTY.md b/docs/BUG-BOUNTY.md
index 3714efda52..f3fc1d8237 100644
--- a/docs/BUG-BOUNTY.md
+++ b/docs/BUG-BOUNTY.md
@@ -48,6 +48,9 @@ their bounty from the [Internet Bug Bounty](https://hackerone.com/ibb).
 Bounties need to be requested within twelve months from the publication of the
 vulnerability.
 
+The curl security team reserves themselves the right to deny or allow bug
+bounty payouts on its own discretion. There is no appeals process.
+
 ## Product vulnerabilities only
 
 This bug bounty only concerns the curl and libcurl products and thus their