-
-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs/BUG-BOUNTY: proposed additional docs [ci skip] #3067
Conversation
Bug bounty explainer. See https://bountygraph.com/programs/curl
As I just mentioned in the draft of governance IBB pays out for libcurl vulnerabilities. So there are multiple programs and it may benefit the reporter to go with one program over the other. For example they paid $1k for duphandle read out of bounds. |
I don't think we can speak for other programs in which we have no say or influence. What do you think we should say about IBB? Mention that it exists (which we already do the in SECURITY-PROCESS doc) or state that we won't pay reward money for vulnerabilities already paid for by other bug bounties? |
I don't think we should add "not getting paid by another bounty program" as a requirement. First, it makes it really hard to keep track of and secondly, a flaw is a flaw to us no matter if another program will pay for it or not and to the same extent. A reported security flaw that fulfills our requirement may be eligible for a bounty I think. IBB has a requirement for paying a bounty that the reported flaw has to "be novel: vulnerability is new or unusual in an interesting way" - which we certyinly don't have as a requirement. |
Fair enough. This reminds me for readability I propose let's stop putting [ci skip] in the subject of commit messages and instead put it on its own line at the end of the body. |
I was going to say that I thought one of those systems required the skip to be on that line. But now when I look it appears like both travis and appveyor still built this commit so it was a failure in several ways... :-/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this reads well and to the point. Once we've had requests pass through we might find improvements on wordings but for now I think this is a good start.
docs/BUG-BOUNTY.md
Outdated
- Low $500 | ||
- Medium $1,000 | ||
- High $5,000 | ||
- Critical $10,000 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nitpick, but should we use "USD 10,000" instead as $ is the denomination for many currencies (living in Australia taught me the confusions that can be had).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense yes, I'll amend.
Bug bounty explainer. See https://bountygraph.com/programs/curl
This is documentation and an explainer with additional details from my bounty proposal on the mailing list yesterday.