Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs/BUG-BOUNTY: bug bounty time #3488

Closed
wants to merge 1 commit into from
Closed

docs/BUG-BOUNTY: bug bounty time #3488

wants to merge 1 commit into from

Conversation

bagder
Copy link
Member

@bagder bagder commented Jan 21, 2019

Introducing the curl bug bounty program on hackerone. We now recommend
filing security issues directly in the hackerone ticket system which
only is readable to curl security team members.

This program is not yet live, but this is preparing the documentation
for when this is activated.

[skip ci]

danielgustafsson
danielgustafsson approved these changes Jan 21, 2019
View changes
Copy link
Member

@danielgustafsson danielgustafsson left a comment

LGTM

docs/BUG-BOUNTY.md Outdated Show resolved Hide resolved
@bagder
Copy link
Member Author

bagder commented Jan 21, 2019

When we land this, we/I should also update the corresponding text in "Everything curl", here: https://github.com/bagder/everything-curl/blob/master/sourcecode-reportvuln.md

@bagder bagder force-pushed the bagder/bug-bounty-hackerone branch from 3b0b058 to ffcb2dc Compare Feb 4, 2019
bagder added a commit that referenced this issue Feb 4, 2019
@bagder
docs/BUG-BOUNTY: bug bounty time
ffcb2dc 
Introducing the curl bug bounty program on hackerone. We now recommend
filing security issues directly in the hackerone ticket system which
only is readable to curl security team members.

This program is not yet live, but this is preparing the documentation
for when this is activated.

[skip ci]
Closes #3488
@bagder
docs/BUG-BOUNTY: bug bounty time [skip ci]
2a9bbe8 
Introducing the curl bug bounty program on hackerone. We now recommend
filing security issues directly in the hackerone ticket system which
only is readable to curl security team members.

Closes #3488
@bagder bagder force-pushed the bagder/bug-bounty-hackerone branch from ffcb2dc to 2a9bbe8 Compare Apr 20, 2019
danielgustafsson
danielgustafsson requested changes Apr 20, 2019
View changes
Copy link
Member

@danielgustafsson danielgustafsson left a comment

The changes are all good, but I believe we need to address the BUGS document too with a patch along the lines of the below:

diff --git a/docs/BUGS b/docs/BUGS
index 7322d9b21..480e0caec 100644
--- a/docs/BUGS
+++ b/docs/BUGS
@@ -61,9 +61,14 @@ BUGS
   using our security development process.

   Security related bugs or bugs that are suspected to have a security impact,
-  should be reported by email to curl-security@haxx.se so that they first can
-  be dealt with away from the public to minimize the harm and impact it will
-  have on existing users out there who might be using the vulnerable versions.
+  should be reported on the curl security tracker at HackerOne:
+
+        https://hackerone.com/curl
+
+  This ensures that the report reaches the curl security team so that they
+  first can be deal with the report away from the public to minimize the harm
+  and impact it will have on existing users out there who might be using the
+  vulnerable versions.

   The curl project's process for handling security related issues is
   documented here:

@bagder bagder closed this in 10e4dd6 Apr 22, 2019
@bagder bagder deleted the bagder/bug-bounty-hackerone branch May 14, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Aug 12, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@danielgustafsson danielgustafsson

Assignees
No one assigned
Labels
documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@bagder @danielgustafsson