Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs/BUG-BOUNTY: bug bounty time #3488

Closed
wants to merge 1 commit into from

Conversation

Projects
None yet
2 participants
@bagder
Copy link
Member

commented Jan 21, 2019

Introducing the curl bug bounty program on hackerone. We now recommend
filing security issues directly in the hackerone ticket system which
only is readable to curl security team members.

This program is not yet live, but this is preparing the documentation
for when this is activated.

[skip ci]

@danielgustafsson
Copy link
Member

left a comment

LGTM

Show resolved Hide resolved docs/BUG-BOUNTY.md Outdated
@bagder

This comment has been minimized.

Copy link
Member Author

commented Jan 21, 2019

When we land this, we/I should also update the corresponding text in "Everything curl", here: https://github.com/bagder/everything-curl/blob/master/sourcecode-reportvuln.md

@bagder bagder force-pushed the bagder/bug-bounty-hackerone branch from 3b0b058 to ffcb2dc Feb 4, 2019

bagder added a commit that referenced this pull request Feb 4, 2019

docs/BUG-BOUNTY: bug bounty time
Introducing the curl bug bounty program on hackerone. We now recommend
filing security issues directly in the hackerone ticket system which
only is readable to curl security team members.

This program is not yet live, but this is preparing the documentation
for when this is activated.

[skip ci]
Closes #3488
docs/BUG-BOUNTY: bug bounty time [skip ci]
Introducing the curl bug bounty program on hackerone. We now recommend
filing security issues directly in the hackerone ticket system which
only is readable to curl security team members.

Closes #3488

@bagder bagder force-pushed the bagder/bug-bounty-hackerone branch from ffcb2dc to 2a9bbe8 Apr 20, 2019

@danielgustafsson
Copy link
Member

left a comment

The changes are all good, but I believe we need to address the BUGS document too with a patch along the lines of the below:

diff --git a/docs/BUGS b/docs/BUGS
index 7322d9b21..480e0caec 100644
--- a/docs/BUGS
+++ b/docs/BUGS
@@ -61,9 +61,14 @@ BUGS
   using our security development process.

   Security related bugs or bugs that are suspected to have a security impact,
-  should be reported by email to curl-security@haxx.se so that they first can
-  be dealt with away from the public to minimize the harm and impact it will
-  have on existing users out there who might be using the vulnerable versions.
+  should be reported on the curl security tracker at HackerOne:
+
+        https://hackerone.com/curl
+
+  This ensures that the report reaches the curl security team so that they
+  first can be deal with the report away from the public to minimize the harm
+  and impact it will have on existing users out there who might be using the
+  vulnerable versions.

   The curl project's process for handling security related issues is
   documented here:

@bagder bagder closed this in 10e4dd6 Apr 22, 2019

@bagder bagder deleted the bagder/bug-bounty-hackerone branch May 14, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.