Skip to content

/curl

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs/BUG-BOUNTY: bug bounty time #3488

Closed
wants to merge 1 commit into from

Conversation

Reviewers

@danielgustafsson danielgustafsson

Assignees
No one assigned
Labels
documentation
Projects
None yet
Milestone
No milestone
2 participants
@bagder @danielgustafsson
@bagder
Copy link
Member

commented Jan 21, 2019

Introducing the curl bug bounty program on hackerone. We now recommend
filing security issues directly in the hackerone ticket system which
only is readable to curl security team members.

This program is not yet live, but this is preparing the documentation
for when this is activated.

[skip ci]

@bagder bagder added the documentation label Jan 21, 2019

@danielgustafsson

danielgustafsson approved these changes Jan 21, 2019
View changes

Copy link
Member

left a comment

LGTM
Show resolved Hide resolved docs/BUG-BOUNTY.md Outdated
@bagder

This comment has been minimized.

Sign in to view
Copy link
Member Author

commented Jan 21, 2019

When we land this, we/I should also update the corresponding text in "Everything curl", here: https://github.com/bagder/everything-curl/blob/master/sourcecode-reportvuln.md
@danielgustafsson

danielgustafsson reviewed Feb 3, 2019
View changes

Show resolved Hide resolved docs/BUG-BOUNTY.md

@bagder bagder force-pushed the bagder/bug-bounty-hackerone branch from 3b0b058 to ffcb2dc Feb 4, 2019

bagder added a commit that referenced this pull request Feb 4, 2019

@bagder
docs/BUG-BOUNTY: bug bounty time 
Introducing the curl bug bounty program on hackerone. We now recommend
filing security issues directly in the hackerone ticket system which
only is readable to curl security team members.

This program is not yet live, but this is preparing the documentation
for when this is activated.

[skip ci]
Closes #3488
Verified
This commit was signed with a verified signature.
@bagder bagder Daniel Stenberg
GPG key ID: 5CC908FDB71E12C2 Learn about signing commits
Loading status checks…
ffcb2dc
@bagder
docs/BUG-BOUNTY: bug bounty time [skip ci] 
Introducing the curl bug bounty program on hackerone. We now recommend
filing security issues directly in the hackerone ticket system which
only is readable to curl security team members.

Closes #3488
Verified
This commit was signed with a verified signature.
@bagder bagder Daniel Stenberg
GPG key ID: 5CC908FDB71E12C2 Learn about signing commits
Loading status checks…
2a9bbe8

@bagder bagder force-pushed the bagder/bug-bounty-hackerone branch from ffcb2dc to 2a9bbe8 Apr 20, 2019

@danielgustafsson

danielgustafsson requested changes Apr 20, 2019
View changes

Copy link
Member

left a comment

The changes are all good, but I believe we need to address the BUGS document too with a patch along the lines of the below:

diff --git a/docs/BUGS b/docs/BUGS
index 7322d9b21..480e0caec 100644
--- a/docs/BUGS
+++ b/docs/BUGS
@@ -61,9 +61,14 @@ BUGS
   using our security development process.

   Security related bugs or bugs that are suspected to have a security impact,
-  should be reported by email to curl-security@haxx.se so that they first can
-  be dealt with away from the public to minimize the harm and impact it will
-  have on existing users out there who might be using the vulnerable versions.
+  should be reported on the curl security tracker at HackerOne:
+
+        https://hackerone.com/curl
+
+  This ensures that the report reaches the curl security team so that they
+  first can be deal with the report away from the public to minimize the harm
+  and impact it will have on existing users out there who might be using the
+  vulnerable versions.

   The curl project's process for handling security related issues is
   documented here:

@bagder bagder closed this in 10e4dd6 Apr 22, 2019

@bagder bagder deleted the bagder/bug-bounty-hackerone branch May 14, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.