Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: rethink the bug-bounty?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Demi Marie Obenour <demiobenour_at_gmail.com>
Date: Mon, 14 Jul 2025 17:25:25 -0400
On 7/14/25 17:21, Daniel Stenberg via curl-library wrote:
> On Mon, 14 Jul 2025, Patrick Monnerat via curl-library wrote:
>
>> An idea: drop hackerone (it advertises the project bounties too much) and go
>> back to the curl-security mailing list :-)
>
> We discussed this today briefly and we more or less agreed to hold off a bit
> and see how it develops the coming months before we do anything. Possibly the
> bounty has served it purposes now and should be abandoned to remove that
> incentive for the "sloppers".
>
> If we stop the bounty then there would be no point in sticking to HackerOne.
>
> If we leave HackerOne, there might be a better idea to instead switch to using
> the vulnerability handling on GitHub instead of going back to the plain
> mailing list. Partly because we get a few features on github (like private
> repo, plus people don't like mail) and partly because spam filtering on the
> mailing list is annonying to manage already.
>
> But again: we don't do anything just yet. We keep it as-is for a while more
> and watch how it goes.
Could there be some sort of up-front bond requirement to reduce spam reports?
There have been a few times I have reported something as a security issue that
turned out not to be, but that was usually because of legitimate
disagreement over whether an issue turned out to be a security issue.
Received on 2025-07-14
Date: Mon, 14 Jul 2025 17:25:25 -0400
On 7/14/25 17:21, Daniel Stenberg via curl-library wrote:
> On Mon, 14 Jul 2025, Patrick Monnerat via curl-library wrote:
>
>> An idea: drop hackerone (it advertises the project bounties too much) and go
>> back to the curl-security mailing list :-)
>
> We discussed this today briefly and we more or less agreed to hold off a bit
> and see how it develops the coming months before we do anything. Possibly the
> bounty has served it purposes now and should be abandoned to remove that
> incentive for the "sloppers".
>
> If we stop the bounty then there would be no point in sticking to HackerOne.
>
> If we leave HackerOne, there might be a better idea to instead switch to using
> the vulnerability handling on GitHub instead of going back to the plain
> mailing list. Partly because we get a few features on github (like private
> repo, plus people don't like mail) and partly because spam filtering on the
> mailing list is annonying to manage already.
>
> But again: we don't do anything just yet. We keep it as-is for a while more
> and watch how it goes.
Could there be some sort of up-front bond requirement to reduce spam reports?
There have been a few times I have reported something as a security issue that
turned out not to be, but that was usually because of legitimate
disagreement over whether an issue turned out to be a security issue.
-- Sincerely, Demi Marie Obenour (she/her/hers)
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
- application/pgp-keys attachment: OpenPGP public key
- application/pgp-signature attachment: OpenPGP digital signature