BUG-BOUNTY.md: minor rephrase to say there is no bug bounty

also add a brief mention to VULN-DISCLOSURE-POLICY.md

Closes #20878

docs/BUG-BOUNTY.md

@@ -4,13 +4,11 @@ Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
 SPDX-License-Identifier: curl
 -->
 
-# The curl bug bounty
+# No curl bug bounty
-
-Up until the end of January 2026 there was a curl bug bounty. It is no more.
 
 The curl project does not offer any rewards for reported bugs or
-vulnerabilities. We also do not aid security researchers to get such rewards
+vulnerabilities. We do not aid security researchers to get such rewards for
-for curl problems from other sources either.
+curl problems from other sources.
 
 A bug bounty gives people too strong incentives to find and make up "problems"
 in bad faith that cause overload and abuse.

docs/VULN-DISCLOSURE-POLICY.md

@@ -9,6 +9,9 @@ SPDX-License-Identifier: curl
 This document describes how security vulnerabilities are handled in the curl
 project.
 
+There is no bug bounty and the curl project never offers rewards for reported
+vulnerabilities.
+
 ## Publishing Information
 
 All known and public curl or libcurl related vulnerabilities are listed on

scripts/mdlinkcheck

@@ -40,7 +40,6 @@ my %whitelist = (
     'https://curl.se/dev/secprocess.html' => 1,
     'https://curl.se/dev/sourceactivity.html' => 1,
     'https://curl.se/docs/' => 1,
-    'https://curl.se/docs/bugbounty.html' => 1,
     'https://curl.se/docs/caextract.html' => 1,
     'https://curl.se/docs/copyright.html' => 1,
     'https://curl.se/docs/http-cookies.html' => 1,