1# The curl bug bounty 2 3The curl project runs a bug bounty program in association with 4[HackerOne](https://www.hackerone.com) and the [Internet Bug 5Bounty](https://internetbugbounty.org). 6 7# How does it work? 8 9Start out by posting your suspected security vulnerability directly to [curl's 10HackerOne program](https://hackerone.com/curl). 11 12After you have reported a security issue, it has been deemed credible, and a 13patch and advisory has been made public, you may be eligible for a bounty from 14this program. 15 16See all details at [https://hackerone.com/curl](https://hackerone.com/curl) 17 18This bounty is relying on funds from sponsors. If you use curl professionally, 19consider help funding this! See 20[https://opencollective.com/curl](https://opencollective.com/curl) for 21details. 22 23# What are the reward amounts? 24 25The curl projects offer monetary compensation for reported and published 26security vulnerabilities. The amount of money that is rewarded depends on how 27serious the flaw is determined to be. 28 29We offer reward money *up to* a certain amount per severity. The curl security 30team determines the severity of each reported flaw on a case by case basis and 31the exact amount rewarded to the reporter is then decided. 32 33Check out the current award amounts at [https://hackerone.com/curl](https://hackerone.com/curl) 34 35# Who is eligible for a reward? 36 37Everyone and anyone who reports a security problem in a released curl version 38that hasn't already been reported can ask for a bounty. 39 40Vulnerabilities in features that are off by default and documented as 41experimental are not eligible for a reward. 42 43The vulnerability has to be fixed and publicly announced (by the curl project) 44before a bug bounty will be considered. 45 46Bounties need to be requested within twelve months from the publication of the 47vulnerability. 48 49The vulnerabilities must not have been made public before February 1st, 2019. 50We do not retroactively pay for old, already known, or published security 51problems. 52 53# Product vulnerabilities only 54 55This bug bounty only concerns the curl and libcurl products and thus their 56respective source codes - when running on existing hardware. It does not 57include documentation, websites, or other infrastructure. 58 59The curl security team will be the sole arbiter if a reported flaw can be 60subject to a bounty or not. 61 62# How are vulnerabilities graded? 63 64The grading of each reported vulnerability that makes a reward claim will be 65performed by the curl security team. The grading will be based on the CVSS 66(Common Vulnerability Scoring System) 3.0. 67 68# How are reward amounts determined? 69 70The curl security team first gives the vulnerability a score, as mentioned 71above, and based on that level we set an amount depending on the specifics of 72the individual case. Other sponsors of the program might also get involved and 73can raise the amounts depending on the particular issue. 74 75# What happens if the bounty fund is drained? 76 77The bounty fund depends on sponsors. If we pay out more bounties than we add, 78the fund will eventually drain. If that end up happening, we will simply not 79be able to pay out as high bounties as we would like and hope that we can 80convince new sponsors to help us top up the fund again. 81 82# Regarding taxes, etc. on the bounties 83 84In the event that the individual receiving a curl bug bounty needs to pay 85taxes on the reward money, the responsibility lies with the receiver. The 86curl project or its security team never actually receive any of this money, 87hold the money, or pay out the money. 88 89## Bonus levels 90 91In cooperation with [Dropbox](https://www.dropbox.com) the curl bug bounty can 92offer the highest levels of rewards if the issue covers one of the interest 93areas of theirs - and only if the bug is graded *high* or *critical*. A 94non-exhaustive list of vulnerabilities Dropbox is interested in are: 95 96 - RCE 97 - URL parsing vulnerabilities with demonstrable security impact 98 99Dropbox would generally hand out rewards for critical vulnerabilities ranging 100from 12k-32k USD where RCE is on the upper end of the spectrum. 101 102URL parsing vulnerabilities with demonstrable security impact might include 103incorrectly determining the authority of a URL when a special character is 104inserted into the path of the URL (as a hypothetical). This type of 105vulnerability would likely yield 6k-12k unless further impact could be 106demonstrated. 107