From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 9 Mar 2023 12:39:23 +0000 (+0100)
Subject: docs/SECURITY-PROCESS.md: updates
X-Git-Tag: curl-8_0_0~69
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=56f306a5a6bbbb6fdb4a1e23f0895bf34307ea2f;p=thirdparty%2Fcurl.git

docs/SECURITY-PROCESS.md: updates

- allow Low+Medium issues to be managed through plain PRs
- update the bug-bounty part to reflect current reality

Closes #10719
---

diff --git a/docs/SECURITY-PROCESS.md b/docs/SECURITY-PROCESS.md
index 5ccde42bd6..89026b6446 100644
--- a/docs/SECURITY-PROCESS.md
+++ b/docs/SECURITY-PROCESS.md
@@ -63,10 +63,14 @@ announcement.
 - Update the "security advisory" with the CVE number.
 
 - The security team commits the fix in a private branch. The commit message
-  should ideally contain the CVE number.
-
-- The security team also decides on and delivers a monetary reward to the
-  reporter as per the bug-bounty policies.
+  should ideally contain the CVE number. If the severity level of the issue is
+  set to Low or Medium, the fix is allowed to get merged into the master
+  repository via a normal PR - but without mentioning it being a security
+  vulnerability.
+
+- The monetary reward part of the bug-bounty is managed by the Internet Bug
+  Bounty team and the reporter is asked to request the reward from them after
+  the issue has been completely handled and published by curl.
 
 - No more than 10 days before release, inform
   [distros@openwall](https://oss-security.openwall.org/wiki/mailing-lists/distros)