BUG-BOUNTY.md: clarify the third party situation

author Daniel Stenberg <daniel@haxx.se>

Wed, 8 May 2024 09:45:37 +0000 (11:45 +0200)

committer Daniel Stenberg <daniel@haxx.se>

Tue, 14 May 2024 14:23:42 +0000 (16:23 +0200)
author Daniel Stenberg <daniel@haxx.se>
Wed, 8 May 2024 09:45:37 +0000 (11:45 +0200)
committer Daniel Stenberg <daniel@haxx.se>
Tue, 14 May 2024 14:23:42 +0000 (16:23 +0200)
diff --git a/docs/BUG-BOUNTY.md b/docs/BUG-BOUNTY.md

index d533af9442a79be1f3e6bbf2406d12ff0ff8e425..399c4cfe1e5e63d430e9a2f28febc499548d0460 100644 (file)
--- a/docs/BUG-BOUNTY.md
+++ b/docs/BUG-BOUNTY.md
@@ -67,6 +67,13 @@ infrastructure.
  The curl security team is the sole arbiter if a reported flaw is subject to a
  bounty or not.
  
+## Third parties
+
+The curl bug bounty does not cover flaws in third party dependencies
+(libraries) used by curl or libcurl. If the bug triggers because of curl
+behaving wrongly or abusing a third party dependency, the problem is rather in
+curl and not in the dependency and then the bounty might cover the problem.
+
  ## How are vulnerabilities graded?
  
  The grading of each reported vulnerability that makes a reward claim is
author	Daniel Stenberg <daniel@haxx.se>
	Wed, 8 May 2024 09:45:37 +0000 (11:45 +0200)
committer	Daniel Stenberg <daniel@haxx.se>
	Tue, 14 May 2024 14:23:42 +0000 (16:23 +0200)