Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upGitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
docs/BUG-BOUNTY: bug bounty time #3488
Closed
Conversation
|
LGTM |
|
When we land this, we/I should also update the corresponding text in "Everything curl", here: https://github.com/bagder/everything-curl/blob/master/sourcecode-reportvuln.md |
bagder
added a commit
that referenced
this pull request
Feb 4, 2019
Introducing the curl bug bounty program on hackerone. We now recommend filing security issues directly in the hackerone ticket system which only is readable to curl security team members. This program is not yet live, but this is preparing the documentation for when this is activated. [skip ci] Closes #3488
|
The changes are all good, but I believe we need to address the BUGS document too with a patch along the lines of the below: diff --git a/docs/BUGS b/docs/BUGS
index 7322d9b21..480e0caec 100644
--- a/docs/BUGS
+++ b/docs/BUGS
@@ -61,9 +61,14 @@ BUGS
using our security development process.
Security related bugs or bugs that are suspected to have a security impact,
- should be reported by email to curl-security@haxx.se so that they first can
- be dealt with away from the public to minimize the harm and impact it will
- have on existing users out there who might be using the vulnerable versions.
+ should be reported on the curl security tracker at HackerOne:
+
+ https://hackerone.com/curl
+
+ This ensures that the report reaches the curl security team so that they
+ first can be deal with the report away from the public to minimize the harm
+ and impact it will have on existing users out there who might be using the
+ vulnerable versions.
The curl project's process for handling security related issues is
documented here: |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Introducing the curl bug bounty program on hackerone. We now recommend
filing security issues directly in the hackerone ticket system which
only is readable to curl security team members.
This program is not yet live, but this is preparing the documentation
for when this is activated.
[skip ci]