curl uses BountyGraph to reward security researchers for finding vulnerabilities. You can access our public code repository here.
We are most interested in the following classes of vulnerability
The following is considered out of scope and will not receive a bounty
The curl security team will determine whether a reported issue is considered a security vulnerability and give it a security rating of Low, Moderate, High, or Critical based on its ease of exploitation, resulting attacker control, and commonality of required configuration.
The BountyGraph Panel will have final say on the amount paid out for the vulnerability, but will base this decision on curl's final assessment of the bug.
Only flaws that are still present in the latest versions of curl are eligible for bounty submissions, so please ensure your exploit is still present before you submit your bounty.
Please remember that not all submissions will qualify for a bounty. Generally only the first valid report of a particular bug will be accepted, and the final decision of the bounty reward is at the discretion of the Panel.
Bounties are paid to hackers and project maintainers at the discretion of the funding organizations and the BountyGraph team. To be eligible for a bounty, each submission must meet BountyGraph's report guidelines.