From 8dbc3c7a6bd5288ec1ba873620aafda5e27508f8 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 22 Feb 2024 16:34:35 +0100
Subject: [PATCH] BUG-BOUNTY.md: clarify that the curl security team decides

Closes #12975
---
 docs/BUG-BOUNTY.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/docs/BUG-BOUNTY.md b/docs/BUG-BOUNTY.md
index 3714efda52..f3fc1d8237 100644
--- a/docs/BUG-BOUNTY.md
+++ b/docs/BUG-BOUNTY.md
@@ -48,6 +48,9 @@ their bounty from the [Internet Bug Bounty](https://hackerone.com/ibb).
 Bounties need to be requested within twelve months from the publication of the
 vulnerability.
 
+The curl security team reserves themselves the right to deny or allow bug
+bounty payouts on its own discretion. There is no appeals process.
+
 ## Product vulnerabilities only
 
 This bug bounty only concerns the curl and libcurl products and thus their