VULN-DISCLOSURE-POLICY.md: remove mention of bug bounty reward

As a follow-up to commits ca7ef4b817 ("BUG-BOUNTY.md: we stop the
bug-bounty end of Jan 2026", 2026-01-22) and ed7bf43a08 ("BUG-BOUNTY.md:
minor rephrase to say there is no bug bounty", 2026-03-10), remove a
leftover mention of the reward for vulnerability reports, that no longer
exists, in file `VULN-DISCLOSURE-POLICY.md`.

Fixes #21571
Reported-by: Alan De Smet
Closes #21574

diff --git a/docs/VULN-DISCLOSURE-POLICY.md b/docs/VULN-DISCLOSURE-POLICY.md
index abc7ef2c0a96dc7428998d1f47caac29b20cbdab..1ce3f4e26d4d9ee634176b61203f2604b958e7a5 100644 (file)
--- a/docs/VULN-DISCLOSURE-POLICY.md
+++ b/docs/VULN-DISCLOSURE-POLICY.md
@@ -248,8 +248,8 @@ already do much worse harm and the problem is not really in curl.
 ## Debug & Experiments
 
 Vulnerabilities in features which are off by default (in the build) and
-documented as experimental, or exist only in debug mode, are not eligible for a
-reward and we do not consider them security problems.
+documented as experimental, or exist only in debug mode, are not considered
+security problems.
 
 The same applies to scripts and software which are not installed by default
 through the make install rule.