- Request a CVE number from
[HackerOne](https://docs.hackerone.com/programs/cve-requests.html)
-- Consider informing
- [distros@openwall](https://oss-security.openwall.org/wiki/mailing-lists/distros)
- to prepare them about the upcoming public security vulnerability
- announcement - attach the advisory draft for information. Note that
- 'distros' won't accept an embargo longer than 14 days and they do not care
- for Windows-specific flaws.
-
- Update the "security advisory" with the CVE number.
- The security team commits the fix in a private branch. The commit message
- should ideally contain the CVE number. This fix is usually also distributed
- to the 'distros' mailing list to allow them to use the fix prior to the
- public announcement.
+ should ideally contain the CVE number.
+
+- The security team also decides on and delivers a monetary reward to the
+ reporter as per the bug-bounty polices.
+
+- No more than 10 days before release, inform
+ [distros@openwall](https://oss-security.openwall.org/wiki/mailing-lists/distros)
+ to prepare them about the upcoming public security vulnerability
+ announcement - attach the advisory draft for information with CVE and
+ current patch. 'distros' does not accept an embargo longer than 14 days and
+ they do not care for Windows-specific flaws.
- No more than 48 hours before the release, the private branch is merged into
the master branch and pushed. Once pushed, the information is accessible to
projects / thirdparty / curl.git / commitdiff
