On Mon, 14 Jul 2025, Patrick Monnerat via curl-library wrote:
An idea: drop hackerone (it advertises the project bounties too much) and go
back to the curl-security mailing list :-)
We discussed this today briefly and we more or less agreed to hold off a bit
and see how it develops the coming months before we do anything. Possibly the
bounty has served it purposes now and should be abandoned to remove that
incentive for the "sloppers".
If we stop the bounty then there would be no point in sticking to HackerOne.
If we leave HackerOne, there might be a better idea to instead switch to using
the vulnerability handling on GitHub instead of going back to the plain
mailing list. Partly because we get a few features on github (like private
repo, plus people don't like mail) and partly because spam filtering on the
mailing list is annonying to manage already.
But again: we don't do anything just yet. We keep it as-is for a while more
and watch how it goes.
--
/ daniel.haxx.se || https://rock-solid.curl.dev
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
