From 87b6fe1695e4c075fb8e3b9dcc61de87e56a1c28 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 8 May 2024 11:45:37 +0200
Subject: [PATCH] BUG-BOUNTY.md: clarify the third party situation

We do not pay bounties for problems in other libraries.

Closes #13560
---
 docs/BUG-BOUNTY.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/docs/BUG-BOUNTY.md b/docs/BUG-BOUNTY.md
index d533af9442..399c4cfe1e 100644
--- a/docs/BUG-BOUNTY.md
+++ b/docs/BUG-BOUNTY.md
@@ -67,6 +67,13 @@ infrastructure.
 The curl security team is the sole arbiter if a reported flaw is subject to a
 bounty or not.
 
+## Third parties
+
+The curl bug bounty does not cover flaws in third party dependencies
+(libraries) used by curl or libcurl. If the bug triggers because of curl
+behaving wrongly or abusing a third party dependency, the problem is rather in
+curl and not in the dependency and then the bounty might cover the problem.
+
 ## How are vulnerabilities graded?
 
 The grading of each reported vulnerability that makes a reward claim is
-- 
2.47.3