Mercurial > hgrepos > Python2 > PyMuPDF
comparison mupdf-source/thirdparty/curl/docs/BUG-BOUNTY.md @ 2:b50eed0cc0ef upstream
ADD: MuPDF v1.26.7: the MuPDF source as downloaded by a default build of PyMuPDF 1.26.4.
The directory name has changed: no version number in the expanded directory now.
| author | Franz Glasner <fzglas.hg@dom66.de> |
|---|---|
| date | Mon, 15 Sep 2025 11:43:07 +0200 |
| parents | |
| children |
comparison
equal
deleted
inserted
replaced
| 1:1d09e1dec1d9 | 2:b50eed0cc0ef |
|---|---|
| 1 # The curl bug bounty | |
| 2 | |
| 3 The curl project runs a bug bounty program in association with | |
| 4 [HackerOne](https://www.hackerone.com) and the [Internet Bug | |
| 5 Bounty](https://internetbugbounty.org). | |
| 6 | |
| 7 # How does it work? | |
| 8 | |
| 9 Start out by posting your suspected security vulnerability directly to [curl's | |
| 10 HackerOne program](https://hackerone.com/curl). | |
| 11 | |
| 12 After you have reported a security issue, it has been deemed credible, and a | |
| 13 patch and advisory has been made public, you may be eligible for a bounty from | |
| 14 this program. | |
| 15 | |
| 16 See all details at [https://hackerone.com/curl](https://hackerone.com/curl) | |
| 17 | |
| 18 This bounty is relying on funds from sponsors. If you use curl professionally, | |
| 19 consider help funding this! See | |
| 20 [https://opencollective.com/curl](https://opencollective.com/curl) for | |
| 21 details. | |
| 22 | |
| 23 # What are the reward amounts? | |
| 24 | |
| 25 The curl projects offer monetary compensation for reported and published | |
| 26 security vulnerabilities. The amount of money that is rewarded depends on how | |
| 27 serious the flaw is determined to be. | |
| 28 | |
| 29 We offer reward money *up to* a certain amount per severity. The curl security | |
| 30 team determines the severity of each reported flaw on a case by case basis and | |
| 31 the exact amount rewarded to the reporter is then decided. | |
| 32 | |
| 33 Check out the current award amounts at [https://hackerone.com/curl](https://hackerone.com/curl) | |
| 34 | |
| 35 # Who is eligible for a reward? | |
| 36 | |
| 37 Everyone and anyone who reports a security problem in a released curl version | |
| 38 that hasn't already been reported can ask for a bounty. | |
| 39 | |
| 40 Vulnerabilities in features that are off by default and documented as | |
| 41 experimental are not eligible for a reward. | |
| 42 | |
| 43 The vulnerability has to be fixed and publicly announced (by the curl project) | |
| 44 before a bug bounty will be considered. | |
| 45 | |
| 46 Bounties need to be requested within twelve months from the publication of the | |
| 47 vulnerability. | |
| 48 | |
| 49 The vulnerabilities must not have been made public before February 1st, 2019. | |
| 50 We do not retroactively pay for old, already known, or published security | |
| 51 problems. | |
| 52 | |
| 53 # Product vulnerabilities only | |
| 54 | |
| 55 This bug bounty only concerns the curl and libcurl products and thus their | |
| 56 respective source codes - when running on existing hardware. It does not | |
| 57 include documentation, websites, or other infrastructure. | |
| 58 | |
| 59 The curl security team will be the sole arbiter if a reported flaw can be | |
| 60 subject to a bounty or not. | |
| 61 | |
| 62 # How are vulnerabilities graded? | |
| 63 | |
| 64 The grading of each reported vulnerability that makes a reward claim will be | |
| 65 performed by the curl security team. The grading will be based on the CVSS | |
| 66 (Common Vulnerability Scoring System) 3.0. | |
| 67 | |
| 68 # How are reward amounts determined? | |
| 69 | |
| 70 The curl security team first gives the vulnerability a score, as mentioned | |
| 71 above, and based on that level we set an amount depending on the specifics of | |
| 72 the individual case. Other sponsors of the program might also get involved and | |
| 73 can raise the amounts depending on the particular issue. | |
| 74 | |
| 75 # What happens if the bounty fund is drained? | |
| 76 | |
| 77 The bounty fund depends on sponsors. If we pay out more bounties than we add, | |
| 78 the fund will eventually drain. If that end up happening, we will simply not | |
| 79 be able to pay out as high bounties as we would like and hope that we can | |
| 80 convince new sponsors to help us top up the fund again. | |
| 81 | |
| 82 # Regarding taxes, etc. on the bounties | |
| 83 | |
| 84 In the event that the individual receiving a curl bug bounty needs to pay | |
| 85 taxes on the reward money, the responsibility lies with the receiver. The | |
| 86 curl project or its security team never actually receive any of this money, | |
| 87 hold the money, or pay out the money. | |
| 88 | |
| 89 ## Bonus levels | |
| 90 | |
| 91 In cooperation with [Dropbox](https://www.dropbox.com) the curl bug bounty can | |
| 92 offer the highest levels of rewards if the issue covers one of the interest | |
| 93 areas of theirs - and only if the bug is graded *high* or *critical*. A | |
| 94 non-exhaustive list of vulnerabilities Dropbox is interested in are: | |
| 95 | |
| 96 - RCE | |
| 97 - URL parsing vulnerabilities with demonstrable security impact | |
| 98 | |
| 99 Dropbox would generally hand out rewards for critical vulnerabilities ranging | |
| 100 from 12k-32k USD where RCE is on the upper end of the spectrum. | |
| 101 | |
| 102 URL parsing vulnerabilities with demonstrable security impact might include | |
| 103 incorrectly determining the authority of a URL when a special character is | |
| 104 inserted into the path of the URL (as a hypothetical). This type of | |
| 105 vulnerability would likely yield 6k-12k unless further impact could be | |
| 106 demonstrated. |