xref: /curl/docs/BUG-BOUNTY.md (revision 87b6fe16)
1<!--
2Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
3
4SPDX-License-Identifier: curl
5-->
6
7# The curl bug bounty
8
9The curl project runs a bug bounty program in association with
10[HackerOne](https://www.hackerone.com) and the [Internet Bug
11Bounty](https://internetbugbounty.org).
12
13## How does it work?
14
15Start out by posting your suspected security vulnerability directly to [curl's
16HackerOne program](https://hackerone.com/curl).
17
18After you have reported a security issue, it has been deemed credible, and a
19patch and advisory has been made public, you may be eligible for a bounty from
20this program. See the [Security Process](https://curl.se/dev/secprocess.html)
21document for how we work with security issues.
22
23## What are the reward amounts?
24
25The curl project offers monetary compensation for reported and published
26security vulnerabilities. The amount of money that is rewarded depends on how
27serious the flaw is determined to be.
28
29Since 2021, the Bug Bounty is managed in association with the Internet Bug
30Bounty and they set the reward amounts. If it would turn out that they set
31amounts that are way lower than we can accept, the curl project intends to
32"top up" rewards.
33
34In 2022, typical "Medium" rated vulnerabilities have been rewarded 2,400 USD
35each.
36
37## Who is eligible for a reward?
38
39Everyone and anyone who reports a security problem in a released curl version
40that has not already been reported can ask for a bounty.
41
42Dedicated - paid for - security audits that are performed in collaboration
43with curl developers are not eligible for bounties.
44
45Vulnerabilities in features that are off by default and documented as
46experimental are not eligible for a reward.
47
48The vulnerability has to be fixed and publicly announced (by the curl project)
49before a bug bounty is considered.
50
51Once the vulnerability has been published by curl, the researcher can request
52their bounty from the [Internet Bug Bounty](https://hackerone.com/ibb).
53
54Bounties need to be requested within twelve months from the publication of the
55vulnerability.
56
57The curl security team reserves themselves the right to deny or allow bug
58bounty payouts on its own discretion. There is no appeals process.
59
60## Product vulnerabilities only
61
62This bug bounty only concerns the curl and libcurl products and thus their
63respective source codes - when running on existing hardware. It does not
64include curl documentation, curl websites, or other curl related
65infrastructure.
66
67The curl security team is the sole arbiter if a reported flaw is subject to a
68bounty or not.
69
70## Third parties
71
72The curl bug bounty does not cover flaws in third party dependencies
73(libraries) used by curl or libcurl. If the bug triggers because of curl
74behaving wrongly or abusing a third party dependency, the problem is rather in
75curl and not in the dependency and then the bounty might cover the problem.
76
77## How are vulnerabilities graded?
78
79The grading of each reported vulnerability that makes a reward claim is
80performed by the curl security team. The grading is based on the CVSS (Common
81Vulnerability Scoring System) 3.0.
82
83## How are reward amounts determined?
84
85The curl security team gives the vulnerability a score or severity level, as
86mentioned above. The actual monetary reward amount is decided and paid by the
87Internet Bug Bounty..
88
89## Regarding taxes, etc. on the bounties
90
91In the event that the individual receiving a bug bounty needs to pay taxes on
92the reward money, the responsibility lies with the receiver. The curl project
93or its security team never actually receive any of this money, hold the money,
94or pay out the money.
95