SPDX-License-Identifier: curl
-->
-# The curl bug bounty
-
-Up until the end of January 2026 there was a curl bug bounty. It is no more.
+# No curl bug bounty
The curl project does not offer any rewards for reported bugs or
-vulnerabilities. We also do not aid security researchers to get such rewards
-for curl problems from other sources either.
+vulnerabilities. We do not aid security researchers to get such rewards for
+curl problems from other sources.
A bug bounty gives people too strong incentives to find and make up "problems"
in bad faith that cause overload and abuse.
This document describes how security vulnerabilities are handled in the curl
project.
+There is no bug bounty and the curl project never offers rewards for reported
+vulnerabilities.
+
## Publishing Information
All known and public curl or libcurl related vulnerabilities are listed on
'https://curl.se/dev/secprocess.html' => 1,
'https://curl.se/dev/sourceactivity.html' => 1,
'https://curl.se/docs/' => 1,
- 'https://curl.se/docs/bugbounty.html' => 1,
'https://curl.se/docs/caextract.html' => 1,
'https://curl.se/docs/copyright.html' => 1,
'https://curl.se/docs/http-cookies.html' => 1,
projects / thirdparty / curl.git / commitdiff
