1<!-- 2Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 3 4SPDX-License-Identifier: curl 5--> 6 7# Security Policy 8 9Read our [Vulnerability Disclosure Policy](docs/VULN-DISCLOSURE-POLICY.md). 10 11## Reporting a Vulnerability 12 13If you have found or just suspect a security problem somewhere in curl or 14libcurl, report it on [HackerOne](https://hackerone.com/curl). 15 16We treat security issues with confidentiality until controlled and disclosed responsibly. 17 18## OpenSSF Best Practices 19 20curl has achieved Gold status on the Open Source Security Foundation (OpenSSF) 21[Best Practices](https://bestpractices.dev/) (formerly Core Infrastructure 22Initiative Best Practices), reflecting its adherence to rigorous 23security and best practice standards. This achievement highlights curl's 24comprehensive documentation, secure development processes, effective change 25control mechanisms, and strong maintenance routines. Meeting these criteria 26demonstrates curl's commitment to security and reliability, ensuring the 27project's sustainability and trustworthiness. This underscores curl's role as 28a leader in open-source software practices. More information can be found on 29[curl's OpenSSF Best Practices project page](https://www.bestpractices.dev/projects/63). 30
