docs/BUG-BOUNTY: proposed additional docs

Bug bounty explainer. See https://bountygraph.com/programs/curl

Closes #3067

docs/BUG-BOUNTY.md

@@ -0,0 +1,78 @@
+# The curl bug bounty
+
+ The curl project runs a bug bounty program in association with
+ bountygraph.com.
+
+ After you have reported a security issue to the curl project, it has been
+ deemed credible and a patch and advisory has been made public you can be
+ eligible for a bounty from this program.
+
+ See all details at https://bountygraph.com/programs/curl
+
+ This bounty is relying on funds from sponsors. If you use curl professionally,
+ consider help funding this!
+
+## How much money is the bounty at
+
+ The curl projects offer monetary compensation for reported and published
+ security vulnerabilities. The amount of money rewarded depends on how serious
+ the flaw is determined to be.
+
+ We offer reward money *up to* these amounts. The curl security team will
+ solely and exclusively determine the exact amount for each reported flaw on a
+ case by case basis and keep the rights to adjust the amount as it sees fit.
+
+ - Low      USD 500
+ - Medium   USD 1,000
+ - High     USD 5,000
+ - Critical USD 10,000
+
+## Who's eligible for a reward
+
+ Everyone and anyone who reports a security problem in a released curl version
+ that hasn't already been reported can ask for a bounty.
+
+ The vulnerability has to be fixed and publicly announced (by the curl
+ project) before a bug bounty will be considered.
+
+ Bounties need to be requested within twelve months from the publication of
+ the vulnerability.
+
+## Product vulnerabilities only
+
+ The bug bounty only concerns the curl and libcurl products and thus their
+ respective source codes - when running on existing hardware. It does not
+ include documentation, web sites or other infrastructure.
+
+ The curl security team will be the sole arbiter if a reported flaw can be
+ subject to a bounty or not.
+
+## How are vulnerabilities graded
+
+ The grading of each reported vulnerability that makes a reward claim will be
+ performed by the curl security team. The grading will be based on the CVSS
+ (Common Vulnerability Scoring System) 3.0.
+
+## How are reward amounts determined
+
+ The curl security team first gives the vulnerability a score, as mentioned
+ above, and based on that level the team may increase or decrease the bounty
+ amount from the general template depending on the specifics of the individual
+ case.
+
+ The curl security team will be the sole arbiter of the bounty amount.
+
+## What happens if the bounty fund is drained
+
+ The bounty fund depends on sponsors. If we pay out more bounties than we add,
+ the fund will eventually drain. If that end up happening, we will simply not
+ be able to pay out as high bounties as we would like and hope that we can
+ convince new sponsors to help us top up the fund again.
+
+## Regarding taxes etc on the bounties
+
+ In the event that the individual receiving a curl bug bounty needs to pay
+ taxes on the reward money, that's something for the receiver (and
+ bountygraph.com?) to work out and handle. The curl project or its security
+ team never actually receive any of this money, hold the money or pay out the
+ money.