docs/BUG-BOUNTY: the sponsors actually decide the amount

Retract the previous approach as the sponsors will be the ones to set the
final amounts.

Closes #3152
[ci skip]

diff --git a/docs/BUG-BOUNTY.md b/docs/BUG-BOUNTY.md
index 813cc5fc16dd957084832cc0433f3c934dc5d423..0c881b83f729925a6ba14c0b58d024308373a3fe 100644 (file)
--- a/docs/BUG-BOUNTY.md
+++ b/docs/BUG-BOUNTY.md
@@ -15,17 +15,12 @@
 ## How much money is the bounty at
 
  The curl projects offer monetary compensation for reported and published
- security vulnerabilities. The amount of money rewarded depends on how serious
- the flaw is determined to be.
+ security vulnerabilities. The amount of money that is rewarded depends on how
+ serious the flaw is determined to be.
 
- We offer reward money *up to* these amounts. The curl security team will
- solely and exclusively determine the exact amount for each reported flaw on a
- case by case basis and keep the rights to adjust the amount as it sees fit.
-
- - Low      USD 500
- - Medium   USD 1,000
- - High     USD 5,000
- - Critical USD 10,000
+ We offer reward money *up to* the total amount of the fund. The curl security
+ team determines the severity of each reported flaw on a case by case basis
+ and the exact amount rewarded to the reporter is then decided by the sponsor.
 
 ## Who's eligible for a reward
 
@@ -60,11 +55,10 @@
 ## How are reward amounts determined
 
  The curl security team first gives the vulnerability a score, as mentioned
- above, and based on that level the team may increase or decrease the bounty
- amount from the general template depending on the specifics of the individual
- case.
+ above, and based on that level the sponsor sets the bounty amount depending
+ on the specifics of the individual case.
 
- The curl security team will be the sole arbiter of the bounty amount.
+ The bounty fund sponsor is the arbiter of the bounty amount.
 
 ## What happens if the bounty fund is drained