From: Daniel Stenberg Date: Thu, 22 Jan 2026 08:41:47 +0000 (+0100) Subject: BUG-BOUNTY.md: we stop the bug-bounty end of Jan 2026 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ca7ef4b817cd91013ae754ee3a622951c089c6c0;p=thirdparty%2Fcurl.git BUG-BOUNTY.md: we stop the bug-bounty end of Jan 2026 Remove mentions of the bounty and hackerone. Closes #20312 --- diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml index a857700fe5..0bcfd2dab4 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yml +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -13,12 +13,7 @@ body: Only file bugs here! Ask questions on the mailing lists https://curl.se/mail/ - **SECURITY RELATED?** Post it here: https://hackerone.com/curl - - There are collections of known issues to be aware of: - - - https://curl.se/docs/knownbugs.html - - https://curl.se/docs/todo.html + **SECURITY RELATED?** Submit here: https://github.com/curl/curl/security/advisories - type: textarea id: reproducer @@ -40,7 +35,7 @@ body: label: curl/libcurl version description: | Please paste the output of `curl -V` here. - placeholder: 'curl 8.2.0' + placeholder: 'curl 8.18.0' validations: required: true diff --git a/README b/README index 9401434b48..4ee7e43a2c 100644 --- a/README +++ b/README @@ -33,18 +33,18 @@ WEBSITE Visit the curl website for the latest news and downloads: - https://curl.se/ + https://curl.se/ GIT To download the latest source code off the GIT server, do this: - git clone https://github.com/curl/curl + git clone https://github.com/curl/curl (you will get a directory named curl created, filled with the source code) SECURITY PROBLEMS - Report suspected security problems via our HackerOne page and not in public. + Report suspected security problems privately and not in public. - https://hackerone.com/curl + https://curl.se/dev/vuln-disclosure.html diff --git a/README.md b/README.md index 69e8b937dc..a049cd20ac 100644 --- a/README.md +++ b/README.md @@ -54,8 +54,8 @@ Download the latest source from the Git server: ## Security problems -Report suspected security problems via [our HackerOne -page](https://hackerone.com/curl) and not in public. +Report suspected security problems +[privately](https://curl.se/dev/vuln-disclosure.html) and not in public. ## Backers diff --git a/SECURITY.md b/SECURITY.md index 64e0d2feab..ddf6415c00 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -11,18 +11,19 @@ Read our [Vulnerability Disclosure Policy](docs/VULN-DISCLOSURE-POLICY.md). ## Reporting a Vulnerability If you have found or just suspect a security problem somewhere in curl or -libcurl, report it on [HackerOne](https://hackerone.com/curl). +libcurl, [report it](https://curl.se/dev/vuln-disclosure.html)! -We treat security issues with confidentiality until controlled and disclosed responsibly. +We treat security issues with confidentiality until controlled and disclosed +responsibly. ## OpenSSF Best Practices curl has achieved Gold status on the Open Source Security Foundation (OpenSSF) [Best Practices](https://bestpractices.dev/) (formerly Core Infrastructure -Initiative Best Practices), reflecting its adherence to rigorous -security and best practice standards. This achievement highlights curl's -comprehensive documentation, secure development processes, effective change -control mechanisms, and strong maintenance routines. Meeting these criteria +Initiative Best Practices), reflecting its adherence to rigorous security and +best practice standards. This achievement highlights curl's comprehensive +documentation, secure development processes, effective change control +mechanisms, and strong maintenance routines. Meeting these criteria demonstrates curl's commitment to security and reliability, ensuring the project's sustainability and trustworthiness. This underscores curl's role as a leader in open-source software practices. More information can be found on diff --git a/docs/BUG-BOUNTY.md b/docs/BUG-BOUNTY.md index d75ea28e02..8a85096e09 100644 --- a/docs/BUG-BOUNTY.md +++ b/docs/BUG-BOUNTY.md @@ -6,88 +6,13 @@ SPDX-License-Identifier: curl # The curl bug bounty -The curl project runs a bug bounty program in association with -[HackerOne](https://www.hackerone.com/) and the [Internet Bug -Bounty](https://internetbugbounty.org/). +Up until the end of January 2026 there was a curl bug bounty. It is no more. -## How does it work? +The curl project does not offer any rewards for reported bugs or +vulnerabilities. We also do not aid security researchers to get such rewards +for curl problems from other sources either. -Start out by posting your suspected security vulnerability directly to [curl's -HackerOne program](https://hackerone.com/curl). +A bug bounty gives people too strong incentives to find and make up "problems" +in bad faith that cause overload and abuse. -After you have reported a security issue, it has been deemed credible, and a -patch and advisory has been made public, you may be eligible for a bounty from -this program. See the [Security Process](https://curl.se/dev/secprocess.html) -document for how we work with security issues. - -## What are the reward amounts? - -The curl project offers monetary compensation for reported and published -security vulnerabilities. The amount of money that is rewarded depends on how -serious the flaw is determined to be. - -Since 2021, the Bug Bounty is managed in association with the Internet Bug -Bounty and they set the reward amounts. If it would turn out that they set -amounts that are way lower than we can accept, the curl project intends to -"top up" rewards. - -In 2025, typical "Medium" rated vulnerabilities are rewarded 2,500 USD each. - -## Who is eligible for a reward? - -Everyone and anyone who reports a security problem in a released curl version -that has not already been reported can ask for a bounty. - -Dedicated - paid for - security audits that are performed in collaboration -with curl developers are not eligible for bounties. - -Vulnerabilities in features that are off by default and documented as -experimental are not eligible for a reward. - -The vulnerability has to be fixed and publicly announced (by the curl project) -before a bug bounty is considered. - -Once the vulnerability has been published by curl, the researcher can request -their bounty from the [Internet Bug Bounty](https://hackerone.com/ibb). - -Bounties need to be requested within twelve months from the publication of the -vulnerability. - -The curl security team reserves themselves the right to deny or allow bug -bounty payouts on its own discretion. There is no appeals process. - -## Product vulnerabilities only - -This bug bounty only concerns the curl and libcurl products and thus their -respective source codes - when running on existing hardware. It does not -include curl documentation, curl websites, or other curl related -infrastructure. - -The curl security team is the sole arbiter if a reported flaw is subject to a -bounty or not. - -## Third parties - -The curl bug bounty does not cover flaws in third party dependencies -(libraries) used by curl or libcurl. If the bug triggers because of curl -behaving wrongly or abusing a third party dependency, the problem is rather in -curl and not in the dependency and then the bounty might cover the problem. - -## How are vulnerabilities graded? - -The grading of each reported vulnerability that makes a reward claim is -performed by the curl security team. The grading is based on the CVSS (Common -Vulnerability Scoring System) 3.0. - -## How are reward amounts determined? - -The curl security team gives the vulnerability a score or severity level, as -mentioned above. The actual monetary reward amount is decided and paid by the -Internet Bug Bounty.. - -## Regarding taxes, etc. on the bounties - -In the event that the individual receiving a bug bounty needs to pay taxes on -the reward money, the responsibility lies with the receiver. The curl project -or its security team never actually receive any of this money, hold the money, -or pay out the money. +We still appreciate and value valid vulnerability reports. diff --git a/docs/BUGS.md b/docs/BUGS.md index 42273a83b8..dde3a71a6e 100644 --- a/docs/BUGS.md +++ b/docs/BUGS.md @@ -36,13 +36,11 @@ vulnerable if the bug becomes public knowledge, then please report that bug using our security development process. Security related bugs or bugs that are suspected to have a security impact, -should be reported on the -[curl security tracker at HackerOne](https://hackerone.com/curl). +should be reported [privately](https://curl.se/dev/vuln-disclosure.html). -This ensures that the report reaches the curl security team so that they -first can deal with the report away from the public to minimize the harm and -impact it has on existing users out there who might be using the vulnerable -versions. +This ensures that the report reaches the curl security team so that they first +can deal with the report away from the public to minimize the harm and impact +it has on existing users out there who might be using the vulnerable versions. The curl project's process for handling security related issues is [documented separately](https://curl.se/dev/secprocess.html). diff --git a/docs/FAQ.md b/docs/FAQ.md index 728d340fdf..d2cf9c8312 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -169,7 +169,7 @@ the web based archives of the mailing lists), thus saving us from having to repeat ourselves even more. Thanks for respecting this. If you have found or simply suspect a security problem in curl or libcurl, -submit all the details at [HackerOne](https://hackerone.com/curl). On there we +[submit all the details to us](https://curl.se/dev/vuln-disclosure.html). We keep the issue private while we investigate, confirm it, work and validate a fix and agree on a time schedule for publication etc. That way we produce a fix in a timely manner before the flaw is announced to the world, reducing the diff --git a/docs/GOVERNANCE.md b/docs/GOVERNANCE.md index 0b0d226fcb..902b09da1f 100644 --- a/docs/GOVERNANCE.md +++ b/docs/GOVERNANCE.md @@ -46,9 +46,8 @@ the project. Donating plain money to curl is best done to curl's [Open Collective fund](https://opencollective.com/curl). Open Collective is a US based -non-profit organization that holds on to funds for us. This fund is then used -for paying the curl security bug bounties, to reimburse project related -expenses etc. +non-profit organization that holds on to funds for us. This fund is used to +reimburse and pay for project related expenses etc. Donations to the project can also come in the form of server hosting, providing services and paying for people to work on curl related code etc. Usually, such diff --git a/docs/INFRASTRUCTURE.md b/docs/INFRASTRUCTURE.md index cc74f05309..2f24845cdd 100644 --- a/docs/INFRASTRUCTURE.md +++ b/docs/INFRASTRUCTURE.md @@ -172,14 +172,6 @@ instances used for this. We use a few rare additional curl related email aliases in the curl domains. They go through the mail server `mail.haxx.se` maintained by Daniel Stenberg -## Bug-bounty - -We run a [bug-bounty](https://curl.se/docs/bugbounty.html) on HackerOne. The -setup runs entirely at https://hackerone.com/curl. - -The money part for the bug bounty is sponsored by the [Internet Bug -Bounty](https://hackerone.com/ibb). - ## Open Collective We use [Open Collective](https://opencollective.com/curl) as our "fiscal diff --git a/docs/SPONSORS.md b/docs/SPONSORS.md index e4f61db6a2..dc9d26fe6b 100644 --- a/docs/SPONSORS.md +++ b/docs/SPONSORS.md @@ -17,8 +17,8 @@ two to spend work hours on curl related tasks. We promise to use donated funds for things and activities that we believe are beneficial for the project and its development. That includes but is not -limited to bug-bounties, developer conferences, infrastructure, development, -services and hardware. +limited to developer conferences, infrastructure, development, services and +hardware. Recurring donations above a certain amount of money puts the sponsor at a named sponsor level: **Silver**, **Gold**, **Platinum** or **Top**. diff --git a/docs/VULN-DISCLOSURE-POLICY.md b/docs/VULN-DISCLOSURE-POLICY.md index 51031a2217..da767d65ac 100644 --- a/docs/VULN-DISCLOSURE-POLICY.md +++ b/docs/VULN-DISCLOSURE-POLICY.md @@ -29,9 +29,11 @@ mailing lists. Messages associated with any commits should not make any reference to the security nature of the commit if done prior to the public announcement. -- The person discovering the issue, the reporter, reports the vulnerability on - [HackerOne](https://hackerone.com/curl). Issues filed there reach a handful - of selected and trusted people. +- The person discovering the issue, the reporter, reports the vulnerability to + the curl project. Do this [on + GitHub](https://github.com/curl/curl/security/advisories) or send an email + to `security at curl.se`. Such submissions reach a handful of selected and + trusted people. - Messages that do not relate to the reporting or managing of an undisclosed security vulnerability in curl or libcurl are ignored and no further action @@ -76,10 +78,6 @@ announcement. repository via a normal PR - but without mentioning it being a security vulnerability. -- The monetary reward part of the bug-bounty is managed by the Internet Bug - Bounty team and the reporter is asked to request the reward from them after - the issue has been completely handled and published by curl. - - No more than seven days before release, inform [distros@openwall](https://oss-security.openwall.org/wiki/mailing-lists/distros) to prepare them about the upcoming public security vulnerability @@ -144,11 +142,6 @@ has been published. *All* reports submitted to the project, valid or not, should be disclosed and made public. -## Bug Bounty - -See [BUG-BOUNTY](https://curl.se/docs/bugbounty.html) for details on the -bug bounty program. - # Severity levels The curl project's security team rates security problems using four severity