Mirrors/curl
0
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-01-18 17:21:26 +01:00
Code Issues Packages Projects Releases Wiki Activity
37,584 Commits 12 Branches 229 Tags
ac6264366fbe6ff0cc4fe9f30364285ffefb8043
Commit Graph

24 Commits

Author SHA1 Message Date
Viktor Szakats
ac6264366f tidy-up: miscellaneous 
- tool_bname: scope an include.
- `endif` comments.
- Markdown fixes.
- comment tidy-ups.
- whitespace, newlines, indent.

Closes #20309
 2026-01-15 13:06:13 +01:00
JimFuller-RedHat
af18d8ea1b docs: explicitly call out Slowloris as not a security flaw 
Closes #20219
 2026-01-08 10:19:16 +01:00
Daniel Stenberg
ae1597c312 VULN-DISCLOSURE-POLICY.md: CRLF in data 
we reject the idea of *CRLF injection* by the user itself as a general
security problem

Closes #20157
 2026-01-02 12:19:11 +01:00
Viktor Szakats
ce62f0f9a1 VULN-DISCLOSURE-POLICY: make it pass test 1275 
```
test 1275...[Verify capital letters after period in markdown files]
 ../../docs/VULN-DISCLOSURE-POLICY.md:426:55:error: lowercase daily after period
 * regular communication from communication leader (ex. daily update)
```
Ref: https://github.com/curl/curl/actions/runs/17527331816/job/49779555753?pr=18485

Also: add ending slashes to 2 URLs.

Follow-up to 6905370df5 #18483
Closes #18486
 2025-09-07 12:39:44 +02:00
Jim Fuller
6905370df5 docs: add major incident section to vuln disclosure policy 
Closes #18483
 2025-09-06 12:20:45 +02:00
Daniel Stenberg
af81e8fe5f VULN-DISCLOSURE-POLICY.md: 7 days embargo is max 
It was recently updated in this doc to seven, but there were *two*
numbers mentioned and only one of them was updated leaving the paragraph
quite confusing.

Follow-up to 83c90e5047

Closes #17921
 2025-07-14 09:08:47 +02:00
Daniel Stenberg
dc263e15e1 VULN-DISCLOSURE-POLICY: minor language polish 
Closes #17799
 2025-07-01 22:54:43 +02:00
Marcel Lang
10432ffb6a VULN-DISCLOSURE-POLICY.md: fix typos 
Closes #17796
 2025-07-01 22:50:45 +02:00
Daniel Stenberg
ff15eef2d6 VULN-DISCLOSURE-POLICY: all reports should be disclosed 
As a matter of policy.

Closes #17778
 2025-06-29 16:42:03 +02:00
Daniel Gustafsson
86eb054286 VULN-DISCLOSURE-POLICY: exclude not installed software 
Flaws in any script or compiled artifact which isn't installed by
default is not considered to be security vulnerabilities.

Closes #17761
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
 2025-06-27 12:08:01 +02:00
Daniel Stenberg
83c90e5047 VULN-DISCLOSURE-POLICY.md: the distros list wants <= 7 days embargo 
Closes #17497
 2025-05-31 18:00:58 +02:00
Daniel Stenberg
9f57c2ea95 VULN-DISCLOSURE-POLICY: use of weak algos 
Not necessarily security problems.

Closes #17220
 2025-04-29 13:11:07 +02:00
Dan Fandrich
c693cc02b0 docs: vulnerabilities in debug code are not eligible for a bounty 
This is code that is off by default and is therefore treated as a
regular bug.

Ref: #16526
Closes #16527
 2025-02-28 14:21:46 -08:00
Daniel Stenberg
cb4cd36fe7 VULN-DISCLOSURE-POLICY: on legacy dependencies 
Problems that only trigger using *legacy* dependencies are not
considered security problems.

Closes #16086
 2025-01-27 15:48:13 +01:00
Daniel Stenberg
cfb97e1fcf VULN-DISCLOSURE-POLICY.md: mention the not setting CVSS 
Closes #15779
 2024-12-19 22:59:54 +01:00
Daniel Stenberg
a18680f501 VULN-DISCLOSURE-POLICY.md: small typo fix 2024-08-05 17:15:31 +02:00
Daniel Stenberg
b715bb371c VULN-DISCLOSURE-POLICY: NULL dereferences and crashes 
If a malicious server can trigger a NULL dereference in curl or
otherwise cause curl to crash (and nothing worse), chances are big that
we do not consider that a security problem.

Closes #13974
 2024-06-19 12:53:35 +02:00
Daniel Stenberg
86d33001e4 reuse: add copyright + license info to individual docs/*.md files 
Instead of use 'docs/*.md' in dep5. For clarity and avoiding a wide-
matching wildcard.

+ Remove mention of old files from .reuse/dep5
+ add info to .github/dependabot.yml
+ make scripts/copyright.pl warn on non-matching patterns

Closes #13245
 2024-03-31 12:01:18 +02:00
Daniel Stenberg
39173f66e5 VULN-DISCLOSURE-POLICY.md: update detail about CVE requests 
curl is a CNA now

Closes #13088
 2024-03-08 13:16:27 +01:00
Daniel Stenberg
2097a095c9 docs: use present tense 
avoid "will", detect "will" as a bad word in the CI

Also line wrapped a bunch of paragraphs

Closes #13001
 2024-02-27 09:47:21 +01:00
Daniel Stenberg
e5000e797f GHA: add a job scanning for "bad words" in markdown 
This means words, phrases or things we have decided not to use - words that
are spelled right according to the dictionary but we want to avoid. In the
name of consistency and better documentation.

Closes #12764
 2024-01-24 08:44:34 +01:00
Daniel Stenberg
9588528a0b VULN-DISCLOSURE-POLIC: remove broken link to hackerone 
It should ideally soon not be done from hackerone anyway

Closes #12308
 2023-11-11 23:16:52 +01:00
Daniel Stenberg
2b16b86bb6 VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw 
Closes #12278
 2023-11-06 12:51:00 +01:00
Daniel Stenberg
46d4ae5e11 SECURITY-PROCESS.md. call it vulnerability disclosure policy 
SECURITY-PROCESS.md -> VULN-DISCLOSURE-POLICY.md

This a name commonly used for a document like this. This name helps
users find it.

Closes #11852
 2023-09-14 17:04:33 +02:00