aboutsummaryrefslogtreecommitdiffstats
path: root/docs/SECURITY-PROCESS.md
diff options
context:
space:
mode:
Diffstat (limited to 'docs/SECURITY-PROCESS.md')
-rw-r--r--docs/SECURITY-PROCESS.md34
1 files changed, 15 insertions, 19 deletions
diff --git a/docs/SECURITY-PROCESS.md b/docs/SECURITY-PROCESS.md
index 4991d5fb..6ef7757c 100644
--- a/docs/SECURITY-PROCESS.md
+++ b/docs/SECURITY-PROCESS.md
@@ -90,18 +90,6 @@ announcement.
- The security web page on the web site should get the new vulnerability
mentioned.
-Pre-notification
-----------------
-
-If you think you are or should be eligible for a pre-notification about
-upcoming security announcements for curl, we urge OS distros and similar
-vendors to primarily join the distros@openwall list as that is one of the
-purposes of that list - and not just for curl of course.
-
-If you are not a distro or otherwise not suitable for distros@openwall and yet
-want pre-notifications from us, contact the curl security team with a detailed
-and clear explanation why this is the case.
-
curl-security (at haxx dot se)
------------------------------
@@ -121,19 +109,27 @@ Publishing Security Advisories
1. Write up the security advisory, using markdown syntax. Use the same
subtitles as last time to maintain consistency.
-2. Name the advisory file (and ultimately the URL to be used when the flaw
- gets published), using a randomized component so that third parties that
- are involved in the process for each individual flaw will not be given
- insights about possible *other* flaws worked on in parallel.
- `adv_YEAR_RANDOM.md` has been used before.
+2. Name the advisory file after the allocated CVE id.
3. Add a line on the top of the array in `curl-www/docs/vuln.pm'.
4. Put the new advisory markdown file in the curl-www/docs/ directory. Add it
- to the git repo. Update the Makefile in the same directory to build the
- HTML representation.
+ to the git repo.
5. Run `make` in your local web checkout and verify that things look fine.
6. On security advisory release day, push the changes on the curl-www
repository's remote master branch.
+
+Hackerone Internet Bug Bounty
+-----------------------------
+
+The curl project does not run any bounty program on its own, but there are
+outside organizations that do. First report your issue the normal way and
+proceed as described in this document.
+
+Then, if the issue is [critical](https://hackerone.com/ibb-data), you are
+eligible to apply for a bounty from Hackerone for your find.
+
+Once your reported vulnerability has been publicly disclosed by the curl
+project, you can submit a [report to them](https://hackerone.com/ibb-data). \ No newline at end of file
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-24 20:08:40 +0000