luo980/curl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

BUG-BOUNTY.md: clarify the third party situation

Browse Source 
We do not pay bounties for problems in other libraries.

Closes #13560
This commit is contained in:
Daniel Stenberg 2024-05-08 11:45:37 +02:00
parent 22d8ce1970
commit 87b6fe1695
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
docs/BUG-BOUNTY.md
View File

@ -67,6 +67,13 @@ infrastructure.
The curl security team is the sole arbiter if a reported flaw is subject to a The curl security team is the sole arbiter if a reported flaw is subject to a
bounty or not. bounty or not.
## Third parties
The curl bug bounty does not cover flaws in third party dependencies
(libraries) used by curl or libcurl. If the bug triggers because of curl
behaving wrongly or abusing a third party dependency, the problem is rather in
curl and not in the dependency and then the bounty might cover the problem.
## How are vulnerabilities graded? ## How are vulnerabilities graded?
The grading of each reported vulnerability that makes a reward claim is The grading of each reported vulnerability that makes a reward claim is