[GNUnet-SVN] [gnurl] 141/219: BUG-BOUNTY.md: add the Dropbox "bonus" ext

gnunet-svn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[GNUnet-SVN] [gnurl] 141/219: BUG-BOUNTY.md: add the Dropbox "bonus" ext

From:	gnunet
Subject:	[GNUnet-SVN] [gnurl] 141/219: BUG-BOUNTY.md: add the Dropbox "bonus" extra payout ability [ci skip]
Date:	Wed, 22 May 2019 19:18:00 +0200

This is an automated email from the git hooks/post-receive script.

ng0 pushed a commit to branch master
in repository gnurl.

commit 489a4be12a1120b4c734ba7540b611123e0d535b
Author: Daniel Stenberg <address@hidden>
AuthorDate: Sat May 4 23:58:11 2019 +0200

    BUG-BOUNTY.md: add the Dropbox "bonus" extra payout ability [ci skip]
    
    Closes #3839
---
 docs/BUG-BOUNTY.md | 28 +++++++++++++++++++++-------
 1 file changed, 21 insertions(+), 7 deletions(-)

diff --git a/docs/BUG-BOUNTY.md b/docs/BUG-BOUNTY.md
index de6d53e2f..dedb249b4 100644
--- a/docs/BUG-BOUNTY.md
+++ b/docs/BUG-BOUNTY.md
@@ -13,7 +13,7 @@ After you have reported a security issue, it has been deemed 
credible, and a
 patch and advisory has been made public, you may be eligible for a bounty from
 this program.
 
-See all details at https://hackerone.com/curl.
+See all details at https://hackerone.com/curl
 
 This bounty is relying on funds from sponsors. If you use curl professionally,
 consider help funding this! See https://opencollective.com/curl for details.
@@ -28,12 +28,7 @@ We offer reward money *up to* a certain amount per severity. 
The curl security
 team determines the severity of each reported flaw on a case by case basis and
 the exact amount rewarded to the reporter is then decided.
 
-At the start of the program, the award amounts are:
-
- Critical: 2,000 USD
- High:     1,500 USD
- Medium:   1,000 USD
- Low:        500 USD
+Check out the current award amounts at https://hackerone.com/curl
 
 # Who is eligible for a reward?
 
@@ -88,3 +83,22 @@ In the event that the individual receiving a curl bug bounty 
needs to pay
 taxes on the reward money, the responsibility lies with the receiver. The
 curl project or its security team never actually receive any of this money,
 hold the money, or pay out the money.
+
+## Bonus levels
+
+In cooperation with [Dropbox](https://www.dropbox.com) the curl bug bounty can
+offer the highest levels of rewards if the issue covers one of the interest
+areas of theirs - and only if the bug is graded *high* or *critical*. A
+non-exhaustive list of vulnerabilities Dropbox is interested in are:
+
+ - RCE
+ - URL parsing vulnerabilities with demonstrable security impact
+
+Dropbox would generally hand out rewards for critical vulnerabilities ranging
+from 12k-32k USD where RCE is on the upper end of the spectrum.
+
+URL parsing vulnerabilities with demonstrable security impact might include
+incorrectly determining the authority of a URL when a special character is
+inserted into the path of the URL (as a hypothetical). This type of
+vulnerability would likely yield 6k-12k unless further impact could be
+demonstrated.

-- 
To stop receiving notification emails like this one, please contact
address@hidden

[Prev in Thread]

Current Thread

[Next in Thread]

[GNUnet-SVN] [gnurl] 141/219: BUG-BOUNTY.md: add the Dropbox "bonus" extra payout ability [ci skip], gnunet <=

Prev by Date: [GNUnet-SVN] [gnurl] 129/219: urlapi: add CURLUPART_ZONEID to set and get
Next by Date: [GNUnet-SVN] [gnurl] 147/219: checksrc.bat: Ignore snprintf warnings in docs/examples
Previous by thread: [GNUnet-SVN] [gnurl] 129/219: urlapi: add CURLUPART_ZONEID to set and get
Next by thread: [GNUnet-SVN] [gnurl] 147/219: checksrc.bat: Ignore snprintf warnings in docs/examples
Index(es):
- Date
- Thread