Mercurial > hgrepos > Python2 > PyMuPDF
annotate mupdf-source/thirdparty/curl/docs/BUG-BOUNTY.md @ 40:aa33339d6b8a upstream
ADD: MuPDF v1.26.10: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.5.
| author | Franz Glasner <fzglas.hg@dom66.de> |
|---|---|
| date | Sat, 11 Oct 2025 11:31:38 +0200 |
| parents | b50eed0cc0ef |
| children |
| rev | line source |
|---|---|
|
2
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
1 # The curl bug bounty |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
2 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
3 The curl project runs a bug bounty program in association with |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
4 [HackerOne](https://www.hackerone.com) and the [Internet Bug |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
5 Bounty](https://internetbugbounty.org). |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
6 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
7 # How does it work? |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
8 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
9 Start out by posting your suspected security vulnerability directly to [curl's |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
10 HackerOne program](https://hackerone.com/curl). |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
11 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
12 After you have reported a security issue, it has been deemed credible, and a |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
13 patch and advisory has been made public, you may be eligible for a bounty from |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
14 this program. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
15 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
16 See all details at [https://hackerone.com/curl](https://hackerone.com/curl) |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
17 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
18 This bounty is relying on funds from sponsors. If you use curl professionally, |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
19 consider help funding this! See |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
20 [https://opencollective.com/curl](https://opencollective.com/curl) for |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
21 details. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
22 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
23 # What are the reward amounts? |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
24 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
25 The curl projects offer monetary compensation for reported and published |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
26 security vulnerabilities. The amount of money that is rewarded depends on how |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
27 serious the flaw is determined to be. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
28 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
29 We offer reward money *up to* a certain amount per severity. The curl security |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
30 team determines the severity of each reported flaw on a case by case basis and |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
31 the exact amount rewarded to the reporter is then decided. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
32 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
33 Check out the current award amounts at [https://hackerone.com/curl](https://hackerone.com/curl) |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
34 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
35 # Who is eligible for a reward? |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
36 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
37 Everyone and anyone who reports a security problem in a released curl version |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
38 that hasn't already been reported can ask for a bounty. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
39 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
40 Vulnerabilities in features that are off by default and documented as |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
41 experimental are not eligible for a reward. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
42 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
43 The vulnerability has to be fixed and publicly announced (by the curl project) |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
44 before a bug bounty will be considered. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
45 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
46 Bounties need to be requested within twelve months from the publication of the |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
47 vulnerability. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
48 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
49 The vulnerabilities must not have been made public before February 1st, 2019. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
50 We do not retroactively pay for old, already known, or published security |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
51 problems. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
52 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
53 # Product vulnerabilities only |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
54 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
55 This bug bounty only concerns the curl and libcurl products and thus their |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
56 respective source codes - when running on existing hardware. It does not |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
57 include documentation, websites, or other infrastructure. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
58 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
59 The curl security team will be the sole arbiter if a reported flaw can be |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
60 subject to a bounty or not. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
61 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
62 # How are vulnerabilities graded? |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
63 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
64 The grading of each reported vulnerability that makes a reward claim will be |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
65 performed by the curl security team. The grading will be based on the CVSS |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
66 (Common Vulnerability Scoring System) 3.0. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
67 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
68 # How are reward amounts determined? |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
69 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
70 The curl security team first gives the vulnerability a score, as mentioned |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
71 above, and based on that level we set an amount depending on the specifics of |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
72 the individual case. Other sponsors of the program might also get involved and |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
73 can raise the amounts depending on the particular issue. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
74 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
75 # What happens if the bounty fund is drained? |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
76 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
77 The bounty fund depends on sponsors. If we pay out more bounties than we add, |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
78 the fund will eventually drain. If that end up happening, we will simply not |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
79 be able to pay out as high bounties as we would like and hope that we can |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
80 convince new sponsors to help us top up the fund again. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
81 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
82 # Regarding taxes, etc. on the bounties |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
83 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
84 In the event that the individual receiving a curl bug bounty needs to pay |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
85 taxes on the reward money, the responsibility lies with the receiver. The |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
86 curl project or its security team never actually receive any of this money, |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
87 hold the money, or pay out the money. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
88 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
89 ## Bonus levels |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
90 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
91 In cooperation with [Dropbox](https://www.dropbox.com) the curl bug bounty can |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
92 offer the highest levels of rewards if the issue covers one of the interest |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
93 areas of theirs - and only if the bug is graded *high* or *critical*. A |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
94 non-exhaustive list of vulnerabilities Dropbox is interested in are: |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
95 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
96 - RCE |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
97 - URL parsing vulnerabilities with demonstrable security impact |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
98 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
99 Dropbox would generally hand out rewards for critical vulnerabilities ranging |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
100 from 12k-32k USD where RCE is on the upper end of the spectrum. |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
101 |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
102 URL parsing vulnerabilities with demonstrable security impact might include |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
103 incorrectly determining the authority of a URL when a special character is |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
104 inserted into the path of the URL (as a hypothetical). This type of |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
105 vulnerability would likely yield 6k-12k unless further impact could be |
|
b50eed0cc0ef
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
Franz Glasner <fzglas.hg@dom66.de>
parents:
diff
changeset
|
106 demonstrated. |