daniel:// stenberg://Jan 26

The end of the #curl bug-bounty

https://daniel.haxx.se/blog/2026/01/26/the-end-of-the-curl-bug-bounty/

The end of the curl bug-bounty

tldr: an attempt to reduce the terror reporting. There is no longer a curl bug-bounty program. It officially stops on January 31, 2026. After having had a few half-baked previous takes, in April 2019 we kicked off the first real curl bug-bounty with the help of Hackerone, and while it stumbled a bit at first … Continue reading The end of the curl bug-bounty →

daniel.haxx.se
Show threadFrederikJan 26

@bagder

Charging people money in an International context is complicated and a maintenance burden.

I think if it does come to this, you might consider requiring a small donation to a charity? This would dramatically reduce the hassle on all sides, and do something good as a bonus.

Show threaddaniel:// stenberg://Jan 26
@fre receiving money for vulnerability *reports* would not mean that we ship vulnerabilities though...
Show threadFrederik
@bagder of course not, but I guess someone could spin it like "they now have incentive to publish buggy code", right? Anyway, that wasn't the point of the post and I didn't want to insinuate any bad intentions, sorry. I'll remove that part.
Jan 26 at 9:50amWeb