curl / Development / Security Process

curl security process

This document describes how security vulnerabilities should be handled in the curl project.

Publishing Information

All known and public curl or libcurl related vulnerabilities are listed on the curl website security page.

Security vulnerabilities should not be entered in the project's public bug tracker.

Vulnerability Handling

The typical process for handling a new security vulnerability is as follows.

No information should be made public about a vulnerability until it is formally announced at the end of this process. That means, for example that a bug tracker entry must NOT be created to track the issue since that will make the issue public and it should not be discussed on any of the project's public mailing lists. Also messages associated with any commits should not make any reference to the security nature of the commit if done prior to the public announcement.

curl-security (at haxx dot se)

This is a private mailing list for discussions on and about curl security issues.

Who is on this list? There are a couple of criteria you must meet, and then we might ask you to join the list or you can ask to join it. It really isn't very formal. We basically only require that you have a long-term presence in the curl project and you have shown an understanding for the project and its way of working. You must've been around for a good while and you should have no plans in vanishing in the near future.

We do not make the list of participants public mostly because it tends to vary somewhat over time and a list somewhere will only risk getting outdated.

Publishing Security Advisories

  1. Write up the security advisory, using markdown syntax. Use the same subtitles as last time to maintain consistency.

  2. Name the advisory file after the allocated CVE id.

  3. Add a line on the top of the array in `curl-www/docs/'.

  4. Put the new advisory markdown file in the curl-www/docs/ directory. Add it to the git repo.

  5. Run make in your local web checkout and verify that things look fine.

  6. On security advisory release day, push the changes on the curl-www repository's remote master branch.


Request the issue to be disclosed. If there are sensitive details present in the report and discussion, those should be redacted from the disclosure. The default policy is to disclose as much as possible as soon as the vulnerability has been published.

Bug Bounty

See BUG-BOUNTY for details on the bug bounty program.