Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: rethink the bug-bounty?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 14 Jul 2025 23:21:00 +0200 (CEST)
On Mon, 14 Jul 2025, Patrick Monnerat via curl-library wrote:
> An idea: drop hackerone (it advertises the project bounties too much) and go
> back to the curl-security mailing list :-)
We discussed this today briefly and we more or less agreed to hold off a bit
and see how it develops the coming months before we do anything. Possibly the
bounty has served it purposes now and should be abandoned to remove that
incentive for the "sloppers".
If we stop the bounty then there would be no point in sticking to HackerOne.
If we leave HackerOne, there might be a better idea to instead switch to using
the vulnerability handling on GitHub instead of going back to the plain
mailing list. Partly because we get a few features on github (like private
repo, plus people don't like mail) and partly because spam filtering on the
mailing list is annonying to manage already.
But again: we don't do anything just yet. We keep it as-is for a while more
and watch how it goes.
Date: Mon, 14 Jul 2025 23:21:00 +0200 (CEST)
On Mon, 14 Jul 2025, Patrick Monnerat via curl-library wrote:
> An idea: drop hackerone (it advertises the project bounties too much) and go
> back to the curl-security mailing list :-)
We discussed this today briefly and we more or less agreed to hold off a bit
and see how it develops the coming months before we do anything. Possibly the
bounty has served it purposes now and should be abandoned to remove that
incentive for the "sloppers".
If we stop the bounty then there would be no point in sticking to HackerOne.
If we leave HackerOne, there might be a better idea to instead switch to using
the vulnerability handling on GitHub instead of going back to the plain
mailing list. Partly because we get a few features on github (like private
repo, plus people don't like mail) and partly because spam filtering on the
mailing list is annonying to manage already.
But again: we don't do anything just yet. We keep it as-is for a while more
and watch how it goes.
-- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-07-14