New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs/BUG-BOUNTY: proposed additional docs [ci skip] #3067

Closed
wants to merge 4 commits into
base: master
from

Conversation

Projects
None yet
5 participants
@bagder
Member

bagder commented Sep 29, 2018

Bug bounty explainer. See https://bountygraph.com/programs/curl

This is documentation and an explainer with additional details from my bounty proposal on the mailing list yesterday.

Show resolved Hide resolved docs/BUG-BOUNTY.md Outdated
Show resolved Hide resolved docs/BUG-BOUNTY.md Outdated
@jay

This comment has been minimized.

Member

jay commented Sep 29, 2018

As I just mentioned in the draft of governance IBB pays out for libcurl vulnerabilities. So there are multiple programs and it may benefit the reporter to go with one program over the other. For example they paid $1k for duphandle read out of bounds.

@bagder

This comment has been minimized.

Member

bagder commented Sep 29, 2018

I don't think we can speak for other programs in which we have no say or influence. What do you think we should say about IBB? Mention that it exists (which we already do the in SECURITY-PROCESS doc) or state that we won't pay reward money for vulnerabilities already paid for by other bug bounties?

@bagder

This comment has been minimized.

Member

bagder commented Oct 1, 2018

I don't think we should add "not getting paid by another bounty program" as a requirement. First, it makes it really hard to keep track of and secondly, a flaw is a flaw to us no matter if another program will pay for it or not and to the same extent. A reported security flaw that fulfills our requirement may be eligible for a bounty I think.

IBB has a requirement for paying a bounty that the reported flaw has to "be novel: vulnerability is new or unusual in an interesting way" - which we certyinly don't have as a requirement.

@jay

This comment has been minimized.

Member

jay commented Oct 1, 2018

Fair enough. This reminds me for readability I propose let's stop putting [ci skip] in the subject of commit messages and instead put it on its own line at the end of the body.

@bagder

This comment has been minimized.

Member

bagder commented Oct 1, 2018

I was going to say that I thought one of those systems required the skip to be on that line. But now when I look it appears like both travis and appveyor still built this commit so it was a failure in several ways... :-/

@danielgustafsson

I think this reads well and to the point. Once we've had requests pass through we might find improvements on wordings but for now I think this is a good start.

- Low $500
- Medium $1,000
- High $5,000
- Critical $10,000

This comment has been minimized.

@danielgustafsson

danielgustafsson Oct 2, 2018

Member

Nitpick, but should we use "USD 10,000" instead as $ is the denomination for many currencies (living in Australia taught me the confusions that can be had).

This comment has been minimized.

@bagder

bagder Oct 2, 2018

Member

Makes sense yes, I'll amend.

@bagder bagder closed this in af500e9 Oct 8, 2018

@bagder bagder deleted the bagder/bug-bounty branch Oct 8, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment