1 files changed, 14 insertions, 10 deletions

diff --git a/docs/SECURITY-PROCESS.md b/docs/SECURITY-PROCESS.md
index 6ef7757c..9dd4cb77 100644
--- a/docs/SECURITY-PROCESS.md
+++ b/docs/SECURITY-PROCESS.md
@@ -61,7 +61,7 @@ announcement.
   Figure out the CWE (Common Weakness Enumeration) number for the flaw.
 
 - Request a CVE number from
-  [distros@openwall](http://oss-security.openwall.org/wiki/mailing-lists/distros)
+  [distros@openwall](https://oss-security.openwall.org/wiki/mailing-lists/distros)
   when also informing and preparing them for the upcoming public security
   vulnerability announcement - attach the advisory draft for information. Note
   that 'distros' won't accept an embargo longer than 14 days and they do not
@@ -121,15 +121,19 @@ Publishing Security Advisories
 6. On security advisory release day, push the changes on the curl-www
    repository's remote master branch.
 
-Hackerone Internet Bug Bounty
------------------------------
+Bountygraph Bug Bounty
+----------------------
+
+The curl project runs a bug bounty program in association with
+bountygraph.com.
+
+After you have reported a security issue to the curl project, it has been
+deemed credible and a patch and advisory has been made public you can be
+eligible for a bounty from this program.
 
-The curl project does not run any bounty program on its own, but there are
-outside organizations that do. First report your issue the normal way and
-proceed as described in this document.
+See all details at [BountyGraph](https://bountygraph.com/programs/curl).
 
-Then, if the issue is [critical](https://hackerone.com/ibb-data), you are
-eligible to apply for a bounty from Hackerone for your find.
+This bounty is relying on funds from
+[sponsors](https://bountygraph.com/programs/curl#publicpledges). If you use
+curl professionally, consider help funding this!
 
-Once your reported vulnerability has been publicly disclosed by the curl
-project, you can submit a [report to them](https://hackerone.com/ibb-data).
\ No newline at end of file