curl uses BountyGraph to reward security researchers for finding vulnerabilities. You can access our public code repository here.
We are most interested in the following classes of vulnerability
- Stack overflows
- Heap memory corruption
- Information leaks
- Authentication bypasses
- Denial of Service vectors
- other serious vulnerabilities
The following is considered out of scope and will not receive a bounty
- Social engineering (including phishing) or physical attacks
- minor flaws or mistakes that do not have a security impact.
- vulnerabilities that were made public before August 1st, 2018
The curl security team will determine whether a reported issue is considered a security vulnerability and give it a security rating of Low, Moderate, High, or Critical based on its ease of exploitation, resulting attacker control, and commonality of required configuration.
The BountyGraph Panel will have final say on the amount paid out for the vulnerability, but will base this decision on curl's final assessment of the bug.
Only flaws that are still present in the latest versions of curl are eligible for bounty submissions, so please ensure your exploit is still present before you submit your bounty.
Please remember that not all submissions will qualify for a bounty. Generally only the first valid report of a particular bug will be accepted, and the final decision of the bounty reward is at the discretion of the Panel.
See all previous publicly announced curl security vulnerabilities and check which curl versions each vulnerability affects.
BountyGraph Payout Policy
Bounties are paid to hackers and project maintainers at the discretion of the funding organizations and the BountyGraph team. To be eligible for a bounty, each submission must meet BountyGraph's report guidelines.