docs/BUG-BOUNTY: bug bounty time

[bagder]

Introducing the curl bug bounty program on hackerone. We now recommend
filing security issues directly in the hackerone ticket system which
only is readable to curl security team members.

This program is not yet live, but this is preparing the documentation
for when this is activated.

[skip ci]

[danielgustafsson]

LGTM

[bagder]

When we land this, we/I should also update the corresponding text in "Everything curl", here: https://github.com/bagder/everything-curl/blob/master/sourcecode-reportvuln.md

[danielgustafsson]

The changes are all good, but I believe we need to address the BUGS document too with a patch along the lines of the below:

diff --git a/docs/BUGS b/docs/BUGS
index 7322d9b21..480e0caec 100644
--- a/docs/BUGS
+++ b/docs/BUGS
@@ -61,9 +61,14 @@ BUGS
   using our security development process.

   Security related bugs or bugs that are suspected to have a security impact,
-  should be reported by email to curl-security@haxx.se so that they first can
-  be dealt with away from the public to minimize the harm and impact it will
-  have on existing users out there who might be using the vulnerable versions.
+  should be reported on the curl security tracker at HackerOne:
+
+        https://hackerone.com/curl
+
+  This ensures that the report reaches the curl security team so that they
+  first can be deal with the report away from the public to minimize the harm
+  and impact it will have on existing users out there who might be using the
+  vulnerable versions.

   The curl project's process for handling security related issues is
   documented here: