curl / Development / Security Process

curl security process

This document describes how security vulnerabilities should be handled in the curl project.

Publishing Information

All known and public curl or libcurl related vulnerabilities are listed on the curl web site security page.

Security vulnerabilities should not be entered in the project's public bug tracker unless the necessary configuration is in place to limit access to the issue to only the reporter and the project's security team.

Vulnerability Handling

The typical process for handling a new security vulnerability is as follows.

No information should be made public about a vulnerability until it is formally announced at the end of this process. That means, for example that a bug tracker entry must NOT be created to track the issue since that will make the issue public and it should not be discussed on any of the project's public mailing lists. Also messages associated with any commits should not make any reference to the security nature of the commit if done prior to the public announcement.

curl-security (at haxx dot se)

Who is on this list? There are a couple of criteria you must meet, and then we might ask you to join the list or you can ask to join it. It really isn't very formal. We basically only require that you have a long-term presence in the curl project and you have shown an understanding for the project and its way of working. You must've been around for a good while and you should have no plans in vanishing in the near future.

We do not make the list of participants public mostly because it tends to vary somewhat over time and a list somewhere will only risk getting outdated.

Publishing Security Advisories

  1. Write up the security advisory, using markdown syntax. Use the same subtitles as last time to maintain consistency.

  2. Name the advisory file after the allocated CVE id.

  3. Add a line on the top of the array in `curl-www/docs/vuln.pm'.

  4. Put the new advisory markdown file in the curl-www/docs/ directory. Add it to the git repo.

  5. Run make in your local web checkout and verify that things look fine.

  6. On security advisory release day, push the changes on the curl-www repository's remote master branch.

Bountygraph Bug Bounty

The curl project runs a bug bounty program in association with bountygraph.com.

After you have reported a security issue to the curl project, it has been deemed credible and a patch and advisory has been made public you can be eligible for a bounty from this program.

See all details at https://bountygraph.com/programs/curl

This bounty is relying on funds from sponsors. If you use curl professionally, consider help funding this!

Hackerone Internet Bug Bounty

This bounty program is run by an independent outside organization: Hackerone. First report your issue the normal way and proceed as described in this document.

Then, if the issue is critical, you are eligible to apply for a bounty from Hackerone for your find.

Once your reported vulnerability has been publicly disclosed by the curl project, you can submit a report to them.

You will not be able to claim bounties from more than one bounty program.