Remove mentions of the bounty and hackerone.
Closes #20312
Only file bugs here! Ask questions on the mailing lists https://curl.se/mail/
- **SECURITY RELATED?** Post it here: https://hackerone.com/curl
-
- There are collections of known issues to be aware of:
-
- - https://curl.se/docs/knownbugs.html
- - https://curl.se/docs/todo.html
+ **SECURITY RELATED?** Submit here: https://github.com/curl/curl/security/advisories
- type: textarea
id: reproducer
label: curl/libcurl version
description: |
Please paste the output of `curl -V` here.
- placeholder: 'curl 8.2.0'
+ placeholder: 'curl 8.18.0'
validations:
required: true
Visit the curl website for the latest news and downloads:
- https://curl.se/
+ https://curl.se/
GIT
To download the latest source code off the GIT server, do this:
- git clone https://github.com/curl/curl
+ git clone https://github.com/curl/curl
(you will get a directory named curl created, filled with the source code)
SECURITY PROBLEMS
- Report suspected security problems via our HackerOne page and not in public.
+ Report suspected security problems privately and not in public.
- https://hackerone.com/curl
+ https://curl.se/dev/vuln-disclosure.html
## Security problems
-Report suspected security problems via [our HackerOne
-page](https://hackerone.com/curl) and not in public.
+Report suspected security problems
+[privately](https://curl.se/dev/vuln-disclosure.html) and not in public.
## Backers
## Reporting a Vulnerability
If you have found or just suspect a security problem somewhere in curl or
-libcurl, report it on [HackerOne](https://hackerone.com/curl).
+libcurl, [report it](https://curl.se/dev/vuln-disclosure.html)!
-We treat security issues with confidentiality until controlled and disclosed responsibly.
+We treat security issues with confidentiality until controlled and disclosed
+responsibly.
## OpenSSF Best Practices
curl has achieved Gold status on the Open Source Security Foundation (OpenSSF)
[Best Practices](https://bestpractices.dev/) (formerly Core Infrastructure
-Initiative Best Practices), reflecting its adherence to rigorous
-security and best practice standards. This achievement highlights curl's
-comprehensive documentation, secure development processes, effective change
-control mechanisms, and strong maintenance routines. Meeting these criteria
+Initiative Best Practices), reflecting its adherence to rigorous security and
+best practice standards. This achievement highlights curl's comprehensive
+documentation, secure development processes, effective change control
+mechanisms, and strong maintenance routines. Meeting these criteria
demonstrates curl's commitment to security and reliability, ensuring the
project's sustainability and trustworthiness. This underscores curl's role as
a leader in open-source software practices. More information can be found on
# The curl bug bounty
-The curl project runs a bug bounty program in association with
-[HackerOne](https://www.hackerone.com/) and the [Internet Bug
-Bounty](https://internetbugbounty.org/).
+Up until the end of January 2026 there was a curl bug bounty. It is no more.
-## How does it work?
+The curl project does not offer any rewards for reported bugs or
+vulnerabilities. We also do not aid security researchers to get such rewards
+for curl problems from other sources either.
-Start out by posting your suspected security vulnerability directly to [curl's
-HackerOne program](https://hackerone.com/curl).
+A bug bounty gives people too strong incentives to find and make up "problems"
+in bad faith that cause overload and abuse.
-After you have reported a security issue, it has been deemed credible, and a
-patch and advisory has been made public, you may be eligible for a bounty from
-this program. See the [Security Process](https://curl.se/dev/secprocess.html)
-document for how we work with security issues.
-
-## What are the reward amounts?
-
-The curl project offers monetary compensation for reported and published
-security vulnerabilities. The amount of money that is rewarded depends on how
-serious the flaw is determined to be.
-
-Since 2021, the Bug Bounty is managed in association with the Internet Bug
-Bounty and they set the reward amounts. If it would turn out that they set
-amounts that are way lower than we can accept, the curl project intends to
-"top up" rewards.
-
-In 2025, typical "Medium" rated vulnerabilities are rewarded 2,500 USD each.
-
-## Who is eligible for a reward?
-
-Everyone and anyone who reports a security problem in a released curl version
-that has not already been reported can ask for a bounty.
-
-Dedicated - paid for - security audits that are performed in collaboration
-with curl developers are not eligible for bounties.
-
-Vulnerabilities in features that are off by default and documented as
-experimental are not eligible for a reward.
-
-The vulnerability has to be fixed and publicly announced (by the curl project)
-before a bug bounty is considered.
-
-Once the vulnerability has been published by curl, the researcher can request
-their bounty from the [Internet Bug Bounty](https://hackerone.com/ibb).
-
-Bounties need to be requested within twelve months from the publication of the
-vulnerability.
-
-The curl security team reserves themselves the right to deny or allow bug
-bounty payouts on its own discretion. There is no appeals process.
-
-## Product vulnerabilities only
-
-This bug bounty only concerns the curl and libcurl products and thus their
-respective source codes - when running on existing hardware. It does not
-include curl documentation, curl websites, or other curl related
-infrastructure.
-
-The curl security team is the sole arbiter if a reported flaw is subject to a
-bounty or not.
-
-## Third parties
-
-The curl bug bounty does not cover flaws in third party dependencies
-(libraries) used by curl or libcurl. If the bug triggers because of curl
-behaving wrongly or abusing a third party dependency, the problem is rather in
-curl and not in the dependency and then the bounty might cover the problem.
-
-## How are vulnerabilities graded?
-
-The grading of each reported vulnerability that makes a reward claim is
-performed by the curl security team. The grading is based on the CVSS (Common
-Vulnerability Scoring System) 3.0.
-
-## How are reward amounts determined?
-
-The curl security team gives the vulnerability a score or severity level, as
-mentioned above. The actual monetary reward amount is decided and paid by the
-Internet Bug Bounty..
-
-## Regarding taxes, etc. on the bounties
-
-In the event that the individual receiving a bug bounty needs to pay taxes on
-the reward money, the responsibility lies with the receiver. The curl project
-or its security team never actually receive any of this money, hold the money,
-or pay out the money.
+We still appreciate and value valid vulnerability reports.
using our security development process.
Security related bugs or bugs that are suspected to have a security impact,
-should be reported on the
-[curl security tracker at HackerOne](https://hackerone.com/curl).
+should be reported [privately](https://curl.se/dev/vuln-disclosure.html).
-This ensures that the report reaches the curl security team so that they
-first can deal with the report away from the public to minimize the harm and
-impact it has on existing users out there who might be using the vulnerable
-versions.
+This ensures that the report reaches the curl security team so that they first
+can deal with the report away from the public to minimize the harm and impact
+it has on existing users out there who might be using the vulnerable versions.
The curl project's process for handling security related issues is
[documented separately](https://curl.se/dev/secprocess.html).
repeat ourselves even more. Thanks for respecting this.
If you have found or simply suspect a security problem in curl or libcurl,
-submit all the details at [HackerOne](https://hackerone.com/curl). On there we
+[submit all the details to us](https://curl.se/dev/vuln-disclosure.html). We
keep the issue private while we investigate, confirm it, work and validate a
fix and agree on a time schedule for publication etc. That way we produce a
fix in a timely manner before the flaw is announced to the world, reducing the
Donating plain money to curl is best done to curl's [Open Collective
fund](https://opencollective.com/curl). Open Collective is a US based
-non-profit organization that holds on to funds for us. This fund is then used
-for paying the curl security bug bounties, to reimburse project related
-expenses etc.
+non-profit organization that holds on to funds for us. This fund is used to
+reimburse and pay for project related expenses etc.
Donations to the project can also come in the form of server hosting, providing
services and paying for people to work on curl related code etc. Usually, such
We use a few rare additional curl related email aliases in the curl domains.
They go through the mail server `mail.haxx.se` maintained by Daniel Stenberg
-## Bug-bounty
-
-We run a [bug-bounty](https://curl.se/docs/bugbounty.html) on HackerOne. The
-setup runs entirely at https://hackerone.com/curl.
-
-The money part for the bug bounty is sponsored by the [Internet Bug
-Bounty](https://hackerone.com/ibb).
-
## Open Collective
We use [Open Collective](https://opencollective.com/curl) as our "fiscal
We promise to use donated funds for things and activities that we believe are
beneficial for the project and its development. That includes but is not
-limited to bug-bounties, developer conferences, infrastructure, development,
-services and hardware.
+limited to developer conferences, infrastructure, development, services and
+hardware.
Recurring donations above a certain amount of money puts the sponsor at a
named sponsor level: **Silver**, **Gold**, **Platinum** or **Top**.
reference to the security nature of the commit if done prior to the public
announcement.
-- The person discovering the issue, the reporter, reports the vulnerability on
- [HackerOne](https://hackerone.com/curl). Issues filed there reach a handful
- of selected and trusted people.
+- The person discovering the issue, the reporter, reports the vulnerability to
+ the curl project. Do this [on
+ GitHub](https://github.com/curl/curl/security/advisories) or send an email
+ to `security at curl.se`. Such submissions reach a handful of selected and
+ trusted people.
- Messages that do not relate to the reporting or managing of an undisclosed
security vulnerability in curl or libcurl are ignored and no further action
repository via a normal PR - but without mentioning it being a security
vulnerability.
-- The monetary reward part of the bug-bounty is managed by the Internet Bug
- Bounty team and the reporter is asked to request the reward from them after
- the issue has been completely handled and published by curl.
-
- No more than seven days before release, inform
[distros@openwall](https://oss-security.openwall.org/wiki/mailing-lists/distros)
to prepare them about the upcoming public security vulnerability
*All* reports submitted to the project, valid or not, should be disclosed and
made public.
-## Bug Bounty
-
-See [BUG-BOUNTY](https://curl.se/docs/bugbounty.html) for details on the
-bug bounty program.
-
# Severity levels
The curl project's security team rates security problems using four severity
projects / thirdparty / curl.git / commitdiff
