1# The curl bug bounty 2 3The curl project runs a bug bounty program in association with 4[HackerOne](https://www.hackerone.com) and the [Internet Bug 5Bounty](https://internetbugbounty.org). 6 7# How does it work? 8 9Start out by posting your suspected security vulnerability directly to [curl's 10HackerOne program](https://hackerone.com/curl). 11 12After you have reported a security issue, it has been deemed credible, and a 13patch and advisory has been made public, you may be eligible for a bounty from 14this program. 15 16See all details at [https://hackerone.com/curl](https://hackerone.com/curl) 17 18This bounty is relying on funds from sponsors. If you use curl professionally, 19consider help funding this! See 20[https://opencollective.com/curl](https://opencollective.com/curl) for 21details. 22 23# What are the reward amounts? 24 25The curl project offers monetary compensation for reported and published 26security vulnerabilities. The amount of money that is rewarded depends on how 27serious the flaw is determined to be. 28 29We offer reward money *up to* a certain amount per severity. The curl security 30team determines the severity of each reported flaw on a case by case basis and 31the exact amount rewarded to the reporter is then decided. 32 33Check out the current award amounts at [https://hackerone.com/curl](https://hackerone.com/curl) 34 35# Who is eligible for a reward? 36 37Everyone and anyone who reports a security problem in a released curl version 38that hasn't already been reported can ask for a bounty. 39 40Vulnerabilities in features that are off by default and documented as 41experimental are not eligible for a reward. 42 43The vulnerability has to be fixed and publicly announced (by the curl project) 44before a bug bounty will be considered. 45 46Bounties need to be requested within twelve months from the publication of the 47vulnerability. 48 49# Product vulnerabilities only 50 51This bug bounty only concerns the curl and libcurl products and thus their 52respective source codes - when running on existing hardware. It does not 53include documentation, websites, or other infrastructure. 54 55The curl security team is the sole arbiter if a reported flaw is subject to a 56bounty or not. 57 58# How are vulnerabilities graded? 59 60The grading of each reported vulnerability that makes a reward claim will be 61performed by the curl security team. The grading will be based on the CVSS 62(Common Vulnerability Scoring System) 3.0. 63 64# How are reward amounts determined? 65 66The curl security team first gives the vulnerability a score, as mentioned 67above, and based on that level we set an amount depending on the specifics of 68the individual case. Other sponsors of the program might also get involved and 69can raise the amounts depending on the particular issue. 70 71# What happens if the bounty fund is drained? 72 73The bounty fund depends on sponsors. If we pay out more bounties than we add, 74the fund will eventually drain. If that end up happening, we will simply not 75be able to pay out as high bounties as we would like and hope that we can 76convince new sponsors to help us top up the fund again. 77 78# Regarding taxes, etc. on the bounties 79 80In the event that the individual receiving a curl bug bounty needs to pay 81taxes on the reward money, the responsibility lies with the receiver. The 82curl project or its security team never actually receive any of this money, 83hold the money, or pay out the money. 84