• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# The curl bug bounty
2
3The curl project runs a bug bounty program in association with
4[HackerOne](https://www.hackerone.com) and the [Internet Bug
5Bounty](https://internetbugbounty.org).
6
7## How does it work?
8
9Start out by posting your suspected security vulnerability directly to [curl's
10HackerOne program](https://hackerone.com/curl).
11
12After you have reported a security issue, it has been deemed credible, and a
13patch and advisory has been made public, you may be eligible for a bounty from
14this program. See the [Security Process](https://curl.se/dev/secprocess.html)
15document for how we work with security issues.
16
17## What are the reward amounts?
18
19The curl project offers monetary compensation for reported and published
20security vulnerabilities. The amount of money that is rewarded depends on how
21serious the flaw is determined to be.
22
23Since 2021, the Bug Bounty is managed in association with the Internet Bug
24Bounty and they will set the reward amounts. If it would turn out that they
25set amounts that are way lower than we can accept, the curl project intends to
26"top up" rewards.
27
28In 2022, typical "Medium" rated vulnerabilities have been rewarded 2,400 USD
29each.
30
31## Who is eligible for a reward?
32
33Everyone and anyone who reports a security problem in a released curl version
34that has not already been reported can ask for a bounty.
35
36Dedicated - paid for - security audits that are performed in collaboration
37with curl developers are not eligible for bounties.
38
39Vulnerabilities in features that are off by default and documented as
40experimental are not eligible for a reward.
41
42The vulnerability has to be fixed and publicly announced (by the curl project)
43before a bug bounty will be considered.
44
45Once the vulnerability has been published by curl, the researcher can request
46their bounty from the [Internet Bug Bounty](https://hackerone.com/ibb).
47
48Bounties need to be requested within twelve months from the publication of the
49vulnerability.
50
51## Product vulnerabilities only
52
53This bug bounty only concerns the curl and libcurl products and thus their
54respective source codes - when running on existing hardware. It does not
55include curl documentation, curl websites, or other curl related
56infrastructure.
57
58The curl security team is the sole arbiter if a reported flaw is subject to a
59bounty or not.
60
61## How are vulnerabilities graded?
62
63The grading of each reported vulnerability that makes a reward claim will be
64performed by the curl security team. The grading will be based on the CVSS
65(Common Vulnerability Scoring System) 3.0.
66
67## How are reward amounts determined?
68
69The curl security team gives the vulnerability a score or severity level, as
70mentioned above. The actual monetary reward amount is decided and paid by the
71Internet Bug Bounty..
72
73## Regarding taxes, etc. on the bounties
74
75In the event that the individual receiving a bug bounty needs to pay taxes on
76the reward money, the responsibility lies with the receiver. The curl project
77or its security team never actually receive any of this money, hold the money,
78or pay out the money.
79