Hi

I think it might help us to attract more security researchers if we spell out
exactly how much money we intend to pay as rewards for potential finds -
especially now when have gotten pledges for a notable sum to use for this.
Here's a proposal from me.

While also reserving our rights to adjust levels on a case by case basis in
either direction, I think we could mention rewards of up (amounts in USD):

  Low $500
  Medium $1,000
  High $5,000
  Critical $10,000

The grading of each reported vulernability that makes a reward claim will be
performed by the curl security team, but I think it should be based on the
CVSS (Common Vulnerability Scoring System) 3.0.

Reasoning: we have 33,000 USD in the reward fund right now and the last few
years we've had around 10 security vulnerabilities per year. The majory of
them (I estimate) with low or medium severity levels.

If we presume this bounty works well and we get twice the reported amount as
before, and they're all medium level, it would mean 20 bugs times 1K USD. We
could then even fit in one critical bug too and still have money left. If that
happens, we'll run out of money in one year but if we do, it would also at the
same time show this program to be a success and that would then hopefully
trigger more companies to help us out to continue the program. At the same
time I don't want to overpay for "silly" bugs.

Thoughts?

(We have not reveived a single report yet since we announced this program...)

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html