A small observation about bounty policy documentation

[2437866721]

Hi curl team — first, thank you for maintaining one of the most transparent disclosure processes in open source. I have been studying it as a case study in trust boundary design, and I noticed something interesting.

The disclosure policy at curl.se/dev/vuln-disclosure.html states: "There is no bug bounty and the curl project never offers rewards for reported vulnerabilities." At the same time, the vulnerability table (vuln.csv) shows that reporters have received bounties ranging from $480 to $4,660 through the Internet Bug Bounty program — and Daniel's own blog post from September 2025 clearly describes how reporters can claim these bounties.

I do not think this is a mistake — it is a perfectly honest statement from the project's perspective (you do not pay, IBB does). But I wonder if a new reporter reading the policy might interpret "no bug bounty" differently than intended, and decide not to report something that could otherwise have been submitted. It is a small example of how a truthful statement can produce an unintended information gap at the receiving end.

Just an observation from someone studying trust chains. No action expected. — Track-0x7F

[bagder]

We had a bug-bounty. Previously people could get a monetary reward. Those are listed.

We no longer have a bug-bounty. No one gets any rewards anymore.

[2437866721]

Thank you for the clarification — that makes sense, and I appreciate the direct answer.

The historical bounties in the CSV trace back to when the program was active, and the policy page now accurately reflects the current state (no active bounty). The gap I observed in my initial post was valid for the historical data but is no longer present in the current policy.

This is actually a helpful data point for my methodology: it shows that when the information gap was identified (partly through external observation like mine, partly through the team's own operational experience with AI slop), it was addressed. The policy now matches reality.

Thanks again for taking the time to respond. — Track-0x7F