docs/BUG-BOUNTY: bug bounty time #3488
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
When we land this, we/I should also update the corresponding text in "Everything curl", here: https://github.com/bagder/everything-curl/blob/master/sourcecode-reportvuln.md |
danielgustafsson
reviewed
Feb 3, 2019
bagder
force-pushed
the
bagder/bug-bounty-hackerone
branch
from
3b0b058
to
ffcb2dc
Compare
bagder
added a commit
that referenced
this pull request
Feb 4, 2019
Introducing the curl bug bounty program on hackerone. We now recommend filing security issues directly in the hackerone ticket system which only is readable to curl security team members. This program is not yet live, but this is preparing the documentation for when this is activated. [skip ci] Closes #3488
Introducing the curl bug bounty program on hackerone. We now recommend filing security issues directly in the hackerone ticket system which only is readable to curl security team members. Closes #3488
bagder
force-pushed
the
bagder/bug-bounty-hackerone
branch
from
ffcb2dc
to
2a9bbe8
Compare
danielgustafsson
requested changes
Apr 20, 2019
There was a problem hiding this comment.
The changes are all good, but I believe we need to address the BUGS document too with a patch along the lines of the below:
diff --git a/docs/BUGS b/docs/BUGS
index 7322d9b21..480e0caec 100644
--- a/docs/BUGS
+++ b/docs/BUGS
@@ -61,9 +61,14 @@ BUGS
using our security development process.
Security related bugs or bugs that are suspected to have a security impact,
- should be reported by email to curl-security@haxx.se so that they first can
- be dealt with away from the public to minimize the harm and impact it will
- have on existing users out there who might be using the vulnerable versions.
+ should be reported on the curl security tracker at HackerOne:
+
+ https://hackerone.com/curl
+
+ This ensures that the report reaches the curl security team so that they
+ first can be deal with the report away from the public to minimize the harm
+ and impact it will have on existing users out there who might be using the
+ vulnerable versions.
The curl project's process for handling security related issues is
documented here:
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Introducing the curl bug bounty program on hackerone. We now recommend
filing security issues directly in the hackerone ticket system which
only is readable to curl security team members.
This program is not yet live, but this is preparing the documentation
for when this is activated.
[skip ci]