Skip to main content

Today we celebrate the five year anniversary of #curl's bug-bounty. It has resulted in 69 reported vulnerabilities and almost 80,000 USD payouts. Out of a total of 439 submissions. 86 of them were considered "informative", which mostly means they were handled as normal bugs.

Submit your suspected curl securirty issue here: https://hackerone.com/curl


curl - Bug Bounty Program | HackerOne

The curl Bug Bounty Program enlists the help of the hacker community at HackerOne to make curl more secure.
HackerOne
#curl
in reply to daniel:// stenberg://

daniel:// stenberg://
daniel:// stenberg://
bonus graph: fixed/introduced vulnerabilities in #curl over time:
#curl
in reply to daniel:// stenberg://

Will Orr
Will Orr
What changed around 2013? Were there tools or practices introduced that started uncovering security issues? Or was it just more time dedicated to security issues? More eyes?
in reply to Will Orr

daniel:// stenberg://
daniel:// stenberg://
@worr I don't think anything in particular changed, maybe that we slowly got more eyes involved in the looking for issues
@Will Orr
in reply to daniel:// stenberg://

tarakiyee
tarakiyee

Thanks for sharing these numbers!

I'm curious, is it possible to also get a breakdown by severity for the reported ones?