romenskiy2012/curl

mirror of https://github.com/curl/curl.git synced 2026-04-14 18:11:40 +03:00

Author	SHA1	Message	Date
Daniel Stenberg	ed7bf43a08	BUG-BOUNTY.md: minor rephrase to say there is no bug bounty also add a brief mention to VULN-DISCLOSURE-POLICY.md Closes #20878	2026-03-10 17:34:08 +01:00
Daniel Stenberg	1495489c41	docs: drop basically Another filler word Closes #20835	2026-03-07 10:58:36 +01:00
Daniel Stenberg	b4dba346cd	stop using the word 'just' Everywhere. In documentation and code comments. It is almost never a good word and almost always a filler that should be avoided. Closes #20793	2026-03-03 15:30:22 +01:00
Daniel Stenberg	3cf86508fd	VULN-DISCLOSURE-POLICY.md: use hackerone - bug_report.yml: use hackerone Closes #20683	2026-02-26 07:57:19 +01:00
Daniel Stenberg	15a8a777b8	VULN-DISCLOSURE-POLICY.md: mention GitHub quirks Closes #20541	2026-02-09 12:42:36 +01:00
Daniel Stenberg	0ccaf6c835	VULN-DISCLOSURE-POLICY.md: push reports to the web form Closes #20515	2026-02-04 12:45:51 +01:00
Daniel Stenberg	ca7ef4b817	BUG-BOUNTY.md: we stop the bug-bounty end of Jan 2026 Remove mentions of the bounty and hackerone. Closes #20312	2026-01-26 08:26:28 +01:00
Viktor Szakats	ac6264366f	tidy-up: miscellaneous - tool_bname: scope an include. - `endif` comments. - Markdown fixes. - comment tidy-ups. - whitespace, newlines, indent. Closes #20309	2026-01-15 13:06:13 +01:00
JimFuller-RedHat	af18d8ea1b	docs: explicitly call out Slowloris as not a security flaw Closes #20219	2026-01-08 10:19:16 +01:00
Daniel Stenberg	ae1597c312	VULN-DISCLOSURE-POLICY.md: CRLF in data we reject the idea of CRLF injection by the user itself as a general security problem Closes #20157	2026-01-02 12:19:11 +01:00
Viktor Szakats	ce62f0f9a1	VULN-DISCLOSURE-POLICY: make it pass test 1275 ``` test 1275...[Verify capital letters after period in markdown files] ../../docs/VULN-DISCLOSURE-POLICY.md:426:55:error: lowercase daily after period * regular communication from communication leader (ex. daily update) ``` Ref: https://github.com/curl/curl/actions/runs/17527331816/job/49779555753?pr=18485 Also: add ending slashes to 2 URLs. Follow-up to `6905370df5` #18483 Closes #18486	2025-09-07 12:39:44 +02:00
Jim Fuller	6905370df5	docs: add major incident section to vuln disclosure policy Closes #18483	2025-09-06 12:20:45 +02:00
Daniel Stenberg	af81e8fe5f	VULN-DISCLOSURE-POLICY.md: 7 days embargo is max It was recently updated in this doc to seven, but there were two numbers mentioned and only one of them was updated leaving the paragraph quite confusing. Follow-up to `83c90e5047` Closes #17921	2025-07-14 09:08:47 +02:00
Daniel Stenberg	dc263e15e1	VULN-DISCLOSURE-POLICY: minor language polish Closes #17799	2025-07-01 22:54:43 +02:00
Marcel Lang	10432ffb6a	VULN-DISCLOSURE-POLICY.md: fix typos Closes #17796	2025-07-01 22:50:45 +02:00
Daniel Stenberg	ff15eef2d6	VULN-DISCLOSURE-POLICY: all reports should be disclosed As a matter of policy. Closes #17778	2025-06-29 16:42:03 +02:00
Daniel Gustafsson	86eb054286	VULN-DISCLOSURE-POLICY: exclude not installed software Flaws in any script or compiled artifact which isn't installed by default is not considered to be security vulnerabilities. Closes #17761 Reviewed-by: Daniel Stenberg <daniel@haxx.se>	2025-06-27 12:08:01 +02:00
Daniel Stenberg	83c90e5047	VULN-DISCLOSURE-POLICY.md: the distros list wants <= 7 days embargo Closes #17497	2025-05-31 18:00:58 +02:00
Daniel Stenberg	9f57c2ea95	VULN-DISCLOSURE-POLICY: use of weak algos Not necessarily security problems. Closes #17220	2025-04-29 13:11:07 +02:00
Dan Fandrich	c693cc02b0	docs: vulnerabilities in debug code are not eligible for a bounty This is code that is off by default and is therefore treated as a regular bug. Ref: #16526 Closes #16527	2025-02-28 14:21:46 -08:00
Daniel Stenberg	cb4cd36fe7	VULN-DISCLOSURE-POLICY: on legacy dependencies Problems that only trigger using legacy dependencies are not considered security problems. Closes #16086	2025-01-27 15:48:13 +01:00
Daniel Stenberg	cfb97e1fcf	VULN-DISCLOSURE-POLICY.md: mention the not setting CVSS Closes #15779	2024-12-19 22:59:54 +01:00
Daniel Stenberg	a18680f501	VULN-DISCLOSURE-POLICY.md: small typo fix	2024-08-05 17:15:31 +02:00
Daniel Stenberg	b715bb371c	VULN-DISCLOSURE-POLICY: NULL dereferences and crashes If a malicious server can trigger a NULL dereference in curl or otherwise cause curl to crash (and nothing worse), chances are big that we do not consider that a security problem. Closes #13974	2024-06-19 12:53:35 +02:00
Daniel Stenberg	86d33001e4	reuse: add copyright + license info to individual docs/.md files Instead of use 'docs/.md' in dep5. For clarity and avoiding a wide- matching wildcard. + Remove mention of old files from .reuse/dep5 + add info to .github/dependabot.yml + make scripts/copyright.pl warn on non-matching patterns Closes #13245	2024-03-31 12:01:18 +02:00
Daniel Stenberg	39173f66e5	VULN-DISCLOSURE-POLICY.md: update detail about CVE requests curl is a CNA now Closes #13088	2024-03-08 13:16:27 +01:00
Daniel Stenberg	2097a095c9	docs: use present tense avoid "will", detect "will" as a bad word in the CI Also line wrapped a bunch of paragraphs Closes #13001	2024-02-27 09:47:21 +01:00
Daniel Stenberg	e5000e797f	GHA: add a job scanning for "bad words" in markdown This means words, phrases or things we have decided not to use - words that are spelled right according to the dictionary but we want to avoid. In the name of consistency and better documentation. Closes #12764	2024-01-24 08:44:34 +01:00
Daniel Stenberg	9588528a0b	VULN-DISCLOSURE-POLIC: remove broken link to hackerone It should ideally soon not be done from hackerone anyway Closes #12308	2023-11-11 23:16:52 +01:00
Daniel Stenberg	2b16b86bb6	VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw Closes #12278	2023-11-06 12:51:00 +01:00
Daniel Stenberg	46d4ae5e11	SECURITY-PROCESS.md. call it vulnerability disclosure policy SECURITY-PROCESS.md -> VULN-DISCLOSURE-POLICY.md This a name commonly used for a document like this. This name helps users find it. Closes #11852	2023-09-14 17:04:33 +02:00

31 commits