https://blog.mozvr.com/pathfinder-a-first-look/

In the past month, we merged 208 PRs in the Servo organization’s repositories.

Windows nightlies are temporarily broken.

Planning and Status

Our roadmap is available online, including the team’s plans for 2019.

This week’s status updates are here.

Exciting works in progress

• ferjm is adding media controls to video elements.
• ceyusa is implementing hardware accelerated video playback for Linux.
• jdm is adding Windows arm64 support.
• georgeroman is enabling automated tests for WebDriver.
• paul is embedding Servo inside a HoloLens app.

Notable Additions

• Manish added foundations of automated testing of WebXR.
• Eijebong implemented type-safe DOM APIs that interact with JS Promises.
• jdm and paulrouget upgraded glutin to 0.21.
• maharsh312 implemented most of the missing OffscreenCanvas APIs.
• ferjm added support for simultaneous playback of audio and video streams.
• Darkspirit updated various network security data files (HSTS, PSL, CAs).
• jdm added support for running Servo on Windows via ANGLE.
• Manishearth made receiving streams through WebRTC possible.
• pylbrecht implemented resource timing for synchronous network requests.
• jdm fixed a problem preventing transitioning into Daydream VR.
• jdm improved the ergonomics of testing Magic Leap builds.
• codehag implemented support for using a remote web console from Firefox with Servo’s content.
• PurpleHairEngineer implemented the StereoPannerNode WebAudio API.
• jdm upgraded the JavaScript engine.
• tdelacour improved the type-safety of text input code that switches between UTF-8 and UTF-16 strings.
• ceyusa created an API for providing hardware-accelerated GL video playback.
• mmatyas implemented support for compressed textures in WebGL.
• jdm upgraded the NDK in use for Android builds.

New Contributors

• Jeremy Ir
• Marcin Wiacek
• Maria Sable
• Martin Boros
• Pete Moore
• Tomek LECOCQ
• William Bartlett
• ffwff

Interested in helping build a web browser? Take a look at our curated list of issues that are good for new contributors!

https://blog.servo.org/2019/06/03/twis-130/

Hey all! Today we're happy to announce the Governance Working Group is going public. We've been spending the last couple weeks finding our bearings and structuring the working group.

You can find our charter outlining our main goals and priorities in our work repository. We are using the Github issues, milestones and projects to organise and track our progress. The readme in the repository explains our working process a bit more in detail. It also states how you can talk to us (hint, via discord) and get involved.

If you're interested in the governance working group, you may also be interested in the Lang Team Meta WG, which is exploring solutions specific to the lang team.

https://blog.rust-lang.org/2019/06/03/governance-wg-announcement.html

happy bmo push day: now with added contrast

release tag

the following changes have been pushed to bugzilla.mozilla.org:

• [1225902] Show only flags with requestee in the “Flags You Have Requested” section
• [1552720] Linkify bug summaries on My Dashboard query table
• [1542554] Add bug type icons to dependency trees
• [1514000] Suppress duplicated changes in bug history made at the same time mainly due to mid-air collisions
• [1523536] New bug’s…

View On WordPress

https://mozilla-bteam.tumblr.com/post/185273833603

happy bmo push day (May 16th)

release tag

the following changes have been pushed to bugzilla.mozilla.org:

• [1546502] Miscellaneous tweaks and fixes for 2019 week 16
• [1345750] “Depends on” and “Blocks” bug lists should still show list of bug links in edit mode
• [1544059] Cloning a bug as a blocker doesn’t copy the ‘component’ field
• [1543741] Blocklist requests getting filed as ‘defect’ instead of ‘task’ because of custom form
• [1…

View On WordPress

https://mozilla-bteam.tumblr.com/post/185273756663

https://tantek.com/2019/150/b2/w3c-needs-you-please-vote-change

It’s just another meaningless number, but today there are 3,000 forks done of the curl GitHub repository.

This pops up just a little over three years since we reached our first 1,000 forks. Also, 10,000 stars no too long ago.

Why fork?

A typical reason why people fork a project on GitHub, is so that they can make a change in their own copy of the source code and then suggest that change to the project in the form of a pull-request.

The curl project has almost 700 individual commit authors, which makes at least 2,300 forks done who still haven’t had their pull-requests accepted! Of course those are 700 contributors who actually managed to work all the way through to inclusion. We can imagine that there is a huge number of people who only ever thought about doing a change, some who only ever just started to do it, many who ditched the idea before it was completed, some who didn’t actually manage to implement it properly, some who got their idea and suggestion shut down by the project and of course, lots of people still have their half-finished change sitting there waiting for inspiration.

Then there are people who just never had the intention of sending any change back. Maybe they just wanted to tinker with the code and have fun. Some want to do private changes they don’t want to offer or perhaps they already know the upstream project won’t accept.

We just can’t tell.

Many?

Is 3,000 forks a lot or a little? Both. It is certainly more forks than we’ve ever had before in this project. But compared to some of the most popular projects on GitHub, even comparing to some other C projects (on GitHub the most popular projects are never written in C) our numbers are dwarfed by the really popular ones. You can probably guess which ones they are.

In the end, this number is next to totally meaningless as it doesn’t say anything about the project nor about what contributions we get or will get in the future. It tells us we have (or had) the attention of a lot of users and that’s about it.

I will continue to try to make sure we’re worth the attention, both now and going forward!

(Picture from pixabay.)

https://daniel.haxx.se/blog/2019/05/30/curl-3k-forks/

Getting either no devices listed or just unauthorized from adb devices when running adb in a virtual machine? My setup is VirtualBox running Ubuntu 18.04 LTS hosted in Windows 10 machine. Connecting one of my Android devices with Lineage 16 and running adb in the VM doesn’t make the device ask for debugging authorization. When connecting with adb from the host machine, it does.

The solution is inspired by this stackoverflow post, with few modifications.

Prerequisites:

On both the host and the virtual machine make sure the version of adb is exactly the same. Otherwise the client will ask the server to restart and unexpectedly fail, when using the below provided solution.

For instance, Firefox for Android build uses internally adb version 1.0.41. But the system wide adb (up to date) in Ubuntu is 1.0.39. To download platform-tools for Windows, in my case, with that version you have to hack the URL bar a bit as there are no download links on the android site for older versions. Trial and error got me this link to get the tools with adb version 1.0.39 for Windows.

On the host machine:

• Connect the device with USB debugging enabled, as usually
• Don’t connect it in the running VirtualBox VM
• Run adb devices to check the host machine sees the devices, check the server has started on port 5037

On the virtual machine:

• Make sure the adb server is not running with adb kill-server
• Check nothing listens on the 5037 port with netstat -nao | grep :5037
• Run socat tcp-listen:5037,fork tcp:10.0.2.2:5037 where 10.0.2.2 should be the host address as seen from the VirtualBox VM
• Run adb devices
• You should see the same result as on the host machine and be able to work with the device now

The trick is to simply forward the TCP traffic between the two machines and pretend a server in the VM. It can work well the other way around with any kind of direct TCP relay in Windows, any kind of port and any IP address of choice.

I wrote this more for myself to not forget till next time, but maybe it will help someone.

The post Fixing adb device unauthorized in VirtualBox hosted linux appeared first on mayhemer's blog.

https://www.janbambas.cz/fixing-adb-device-unauthorized-in-virtualbox-hosted-linux/

Alan Davidson, Vice President of Global Policy, Trust and Security testified today on behalf of Mozilla before the International Grand Committee on Big Data, Privacy and Democracy. The International Grand Committee, composed of representatives from numerous governments around the world, has gathered in Ottawa, Canada for its second meeting, hosted by the House of Commons of Canada.

“We believe the internet can be better. And to build an internet that is both innovative and worthy of people’s trust, we will need better technology and better policy,” said Alan. In his testimony Alan focused on the need for better product design to protect privacy; getting privacy policy and regulation right; and the complexities of content policy issues. Against the backdrop of tech’s numerous missteps over the last year, our mission-driven work is a clear alternative to much of what is wrong with the web today.

For more, check out the replay of the hearing or read Alan’s prepared statement for the Committee.

 

The post “We believe the internet can be better,” Mozilla to the International Grand Committee appeared first on The Mozilla Blog.

https://blog.mozilla.org/blog/2019/05/29/we-believe-the-internet-can-be-better-mozilla-to-the-international-grand-committee/

Author’s note: Hi, I’m an engineer at Mozilla working on the Firefox DevTools server. I’m also a TC39 representative. This post focuses on some of the experiments I am trying out at the TC39, the standards body that manages the JavaScript specification. A follow up post will follow…

---

In what ways can empirical evidence be used in the design of a language like JavaScript? What kind of impact would a more direct connection to developers give us? As stewards of the JavaScript specification, how do we answer questions about the design of JavaScript and help make it accessible to the thousands of new coders who join the industry each year? To answer this we need to experiment, and I need your help.

Enter stage left: a survey

I know, it isn’t so exciting. It’s a survey. We are testing whether or not the methods used in this survey provide useful information about specific parts of a proposal. In other words, we are testing how we can identify different factors related to code: Cognitive load, error proneness, readability, and learn-ability.

The goal is to see what we can learn from the data you share. Whether it will be useful remains to be seen. This is the first attempt to do this, so it will not be perfect.

This is also why I need everyone’s help. Whatever your background, your responses will be very much appreciated. You might be learning JavaScript as your first language, coming to JavaScript from another language, or working in the language professionally.

Well, I hope I have gotten everyone excited to take a survey. I am certainly excited. It is estimated to be 15 minutes, I hope it is enjoyable!

Here is the survey link again.

The post JavaScript and evidence-based language design appeared first on Mozilla Hacks - the Web developer blog.

https://hacks.mozilla.org/2019/05/javascript-and-evidence-based-language-design/

https://tantek.com/2019/148/b1/running-for-w3c-advisory-board

Again, a polite reminder that Intel Macs aren't supported, but that doesn't mean people don't want to run TenFourFox on them. Thanks to new builder Hayley, Tiger-compatible versions of FPR14 and the MP4 Enabler are available for Intel. Previous versions have had issues on Tiger due to issue 209, so watch for that if you choose to run these, but initial testing at least looks very promising.

I've also given Ken direct access to that folder so that he can coordinate and upload Intel builds on a semi-regular basis without me as the rate limiting step. Remember, the Intel build is unsupported and issues posted to Tenderapp about it will be closed. There are no guarantees that it works, and there are no guarantees that builds will continue.

Meanwhile, I'm working on what may be a fruitless effort to add async/await support and am about halfway done with the merge. It will probably build but no guarantees that it will work, and there's probably some additional fixes needed to get it up to reasonable standards compliance. I'm trying to keep it all in one easily managed commit which is why there hasn't been much activity on Github for FPR15; this may be the only major new feature in order to reduce regression risk. More later.

http://tenfourfox.blogspot.com/2019/05/finally-bit-of-love-for-intel-tiger.html

Today we’re presenting new brand marks for Firefox Monitor and Firefox Lockwise. Lockwise? Yes, that’s the official name for the service we’d nicknamed “Lockbox” during its product development phase. The new icons are meant to signal the functions these apps perform. Firefox Monitor, which helps you discover if your email address has been part of a data breach and can alert you about further breaches, is represented by a magnifying glass. Firefox Lockwise, which provides an easy way to store your Firefox passwords and protect your data, suggests both a lock and a profile. The marks reinforce that all of our Firefox products and services help you keep your personal life private.

 

If you’ve been wondering whatever happened to the Firefox brand identity work we shared in this space last year, and whether System 1 or System 2 prevailed, these new icons offer a clue.  They are not the whole story. We’ll be unveiling an evolved Firefox brand the week of June 10th, so please stay tuned. We look forward to hearing what you think.

The post A glimpse of what’s to come. appeared first on Mozilla Open Design.

https://blog.mozilla.org/opendesign/a-glimpse-of-whats-to-come/

Our newest Friend of Add-ons is Martin Giger! Martin is a leader and member of the Mozilla Switzerland community, an extension developer, and a frequent contributor to Mozilla’s community forums, where he helps people find answers to their questions about extension development. If you have ever visited our forums or joined one of our channels on IRC, there’s a good chance you’ve seen Martin kindly and patiently helping people resolve their issues. (He has also written a great blog post about how to effectively ask for help when you get stuck on a problem.)

Martin began contributing to Mozilla in the early 2010s when he began localizing a Thunderbird extension into German and building his first Firefox extension. He also became involved with the Nightingle Media Player project, an open-source audio player and web browser based on the Mozilla XULRunner.

Since then, Martin has contributed to a number of add-on projects, including the Add-on SDK, the add-ons linter, the site addons.mozilla.org, and the WebExtensions API. Always interested in finding creative technical solutions to solve problems he encounters in everyday life, he has recently been tinkering with Mozilla’s Web of Things platform, rewriting a Twitter tool used by the Mozilla Switzerland community, and managing web-related activities for the concert band he plays in.

In addition to spending time with Mozillians online, Martin also enjoys socializing in person with members of his local community. “Doing things with local contributors is meaningful,” he remarks. “No matter what they contributed to, meeting up with people and talking about things you’re passionate about makes Mozilla something you can grasp (and not just something you spend time in front of a computer on).”

Martin, the entire add-ons team extends their gratitude and appreciation to you for your kindness, willingness to help others, and sound judgement. Thank you for all of your contributions to our ecosystem!

If you are interested in getting involved with the add-ons community, please take a look at our wiki for some opportunities to contribute to the project.

The post Friend of Add-ons: Martin Giger appeared first on Mozilla Add-ons Blog.

https://blog.mozilla.org/addons/2019/05/28/friend-of-addons-martin-giger/

https://quality.mozilla.org/2019/05/firefox-68-beta-6-testday-may-31st/

We have read in the news that big platforms are willing to tackle head on privacy. The word "privacy" became an act of marketing, a way to sell a brand, to grow market shares, to renew or increase trust. This became an object of commerce. We even see debates on who could provide the best solution for a privacy oriented platform or that privacy is a hype.

For a long time, we know that the amount of data collections by any platforms is humongous.

In the same time, another topic of concerns has increased, security with different angles:

• being safe online for individual people
• stopping massive data hacking
• protecting knowledge and speech with regards to the surge of fake news

All of these mostly resonate around the one-to-many/many-to-one issues.

But one thing is certain. The big platforms will redefine the word "privacy". It will be a space where you communicate with your friends protected from the mass. Privacy will be redefined as small group communications. Don't be fooled. There is still one entity which will be recording everything, studying patterns of communications, making money on understanding your behavorial patterns.

Worse… with the illusion of privacy given by this smaller spaces of communications, the people using them will feel more secure, comfortable, more at home. They will stop thinking twice about sharing something, while the entity is still listening.

Intimacy is something we share with others in small groups indeed. It has a lot of variations, levels of opacity, adjusted for contexts. Big platforms will never be able to provide a true space of privacy or intimacy, while their core business is about listening on what we express. Smaller communication groups are indeed sometimes the solution, but they need to exist outside of any listening/recording apparatus created by a third party. Communications are a contract in between the people who choose to have them. Any third party listening, recording, analyzing to sell the value extracted from these communications challenges right away the notion of privacy. The forest is not dark, when someone is listening.

Otsukare!

http://www.otsukare.info/2019/05/27/privacy-illusions

Tuesday’s release of Firefox 67 brought a number of performance enhancing features that make this our fastest browser ever.  Among these is the high performance, royalty free AV1 video decoder dav1d, now enabled by default on all desktop platforms (Windows, OSX and Linux) for both 32-bit and 64-bit systems.

With files more than 30% smaller than today’s most popular web codec VP9 [1], and nearly 50% smaller than its widely deployed predecessor H.264 [2], AV1 allows high-quality video experiences with a lot less network usage, and has the potential to transform how and where we watch video on the Internet. However, because AV1 is brand new and more sophisticated, some experts had predicted that market adoption would wait until 2020 when high-performance hardware decoders are expected.  Dav1d in the browser upends these predictions.

Sponsored by the Alliance for Open Media, dav1d is a joint effort between the French non-profit VideoLAN and the greater FFmpeg open source audio/video community.  Some of the leading minds in open source multimedia joined forces to release the first version of dav1d last fall, already 2x to 5x faster than libaom, the reference decoder published by AOMedia as part of the AV1 standards effort.

Since then the dav1d developers have squeezed out even more performance by profiling and rewriting critical sections in highly-parallelized SIMD assembly. And this shows in the benchmarks:

Higher performance and greater efficiency means smooth playback of AV1 video in the browser with significantly less CPU utilization.

AV1 already seeing adoption on the web

Landing dav1d in Firefox could not have happened at a better time.  In just the past few months we’ve seen remarkable growth in the use of AV1, with our latest figures showing that 11.8% of video playback in Firefox Beta used AV1, up from 3% in March and 0.85% in February.

Now that desktop Firefox contains dav1d, we expect even more websites will take advantage of this next-generation, royalty-free video codec AV1.

Mozilla investing in the AV1 future

State-of-the-art decoders like dav1d are great for video playback, but best-in-class, free and open source software encoders are equally important to a healthy AV1 community.  The AOMedia reference encoder was developed with the goal of creating the AV1 standard, not a production encoder.  Thus, Mozilla and Xiph.Org are jointly developing a clean-room encoder named rav1e (the Rust AV1 Encoder) to increase encoding gains over the reference encoder and allow software encoding fast enough for real-time applications like WebRTC.

Good encoders make heavy use of psychovisual models to allocate bits for what humans perceive as good visual quality (not PSNR).  With rav1e we are applying the perceptual analysis expertise from our earlier Daala and Theora codec development efforts to add activity masking, better color balancing, improved rate control and perceptual distortion metrics like CDEF that bring new, improved quality to AV1 encoding.

We’re also investing considerable research to improve encoder speed, optimizing new techniques that appear for the first time in AV1.  It’s not enough to rewrite existing code from the initial reference encoder in SIMD assembly and make it four times faster. Rav1e is developing ways to make AV1 encoding tools 1000x faster by finding new algorithms rather than simply optimizing existing code.

Rav1e is getting better all the time.  Active development continues at a rapid pace, landing major new improvements weekly.

Join the conversation

Do you find video compression and related technologies fascinating?  Then join us in New York on June 26 for the Big Apple Video 2019 conference co-hosted by Mozilla and Vimeo.  This full day event focuses on cutting edge video technologies and the user experiences they enable.  With speakers from Twitch, Cisco, NGCodec, Intel, Wikimedia and other well known companies, this conference is designed for video technology enthusiasts like you!

We’d love to have you with us in New York, but if not you can register to attend remotely and watch our on-line video stream.  What else would you expect from a conference on video and related technologies?

References

1. AV1 beats x264 and libvpx-vp9 in practical use case – https://code.fb.com/
2. MSU Codec Comparison 2018 – http://www.compression.ru/

The post Firefox brings you smooth video playback with the world’s fastest AV1 decoder appeared first on Mozilla Hacks - the Web developer blog.

https://hacks.mozilla.org/2019/05/firefox-brings-you-smooth-video-playback-with-the-worlds-fastest-av1-decoder/

https://mozillagfx.wordpress.com/2019/05/23/webrender-newsletter-45/

Please note some of the information provided in this report may be subject to change as we are sometimes sharing information about projects that are still in early stages and are not final yet.

Welcome!

New localizers

• Ratko of Serbian
• Davide of Italian
• Daniel of Macedonian
• Wannaphong of Thai

Are you a locale leader and want us to include new members in our upcoming reports? Contact us!

New community/locales added

• Bashkirs (ba), a Turkic language mostly spoken in Russia

New content and projects

What’s new or coming up in Firefox desktop

Firefox 68 has officially entered Beta. The deadline to ship localization updates into this version is June 25. It’s important to remember that 68 is going to be an ESR version too: if your localization is incomplete on Jun 26, or contains errors, it won’t be possible to fix them later on for ESR.

A lot of content has landed in Firefox 68 towards the end of the cycle. In particular, make sure to test the new stub installer in the coming weeks, and the redesigned about:welcome experience. Detailed instructions are available in this thread on dev-l10n. You should also check out this post on how to localize the new “Join Firefox” message.

Partially related to Firefox Desktop: Facebook Container is quickly approaching version 2.0, adding several informative panels to the initial bare UI.

What’s new or coming up in mobile

As promised, more new and exciting things are happening in mobile land since our last report.

In fact, we have recently enabled two new projects in Pontoon, since we are opening up localization of a new password management product for both Android and iOS: Lockwise for Android (strings are located inside the locale folders, with a path starting by mozilla-mobile/lockwise-android/) and Lockwise for iOS – both formerly known as “Lockbox”. Ideal deadline for localizing and testing these projects is May 27th. As for previously enabled mobile projects, we are only exposing these strings to a subset of locales for now. We’ll add more locales as we get a handle on this first batch.

For Fenix and android-components strings, the current deadline for localizing and testing is still June 13th.

What’s new or coming up in web projects

Version 2 of the Firefox Monitor website is launching in the coming days. It’s a complete redesign, that will allow users to sign up with their Firefox Account, and monitor multiple emails easily.

Firefox Accounts: many strings were added in the recent feature updates. Please check Pontoon for the deadline. There might be more strings to be added before the weekend. The team will push codes more regularly to include as much localized content as possible on production before the launch of the new feature.

Mozilla.org added and updated four files in the past week: firefox/accounts-2019.lang, firefox/new/trailhead.lang, firefox/whatsnew_67.0.5.lang, and mozorg/newsletters.lang. Follow the deadline and prioritize against other requests.

Events

• The Thai community meetup took place in Bangkok on 18-19 of May. This was the first localization meetup of the year led by the l10n-drivers. Community manager Vee summarized well through this blog.
• Want to showcase an event coming up that your community is participating in? Reach out to any l10n-driver and we’ll include that (see links to emails at the bottom of this report)

Friends of the Lion

Know someone in your l10n community who’s been doing a great job and should appear here? Contact on of the l10n-drivers and we’ll make sure they get a shout-out (see list at the bottom)!

Useful Links

• Dev.l10n mailing list and Dev.l10n.web mailing list – where project updates happen. If you are a localizer, then you should be following this
• Facebook group: it’s new! Come check it out!
• Twitter
• Telegram (contact one of the l10n-drivers below so we will add you)
• L10n blog
• #l10n irc channel: this wiki page will help you get set up with IRC. For L10n, we use the #l10n channel for all general discussion. You can also find a list of IRC channels in other languages here.

Questions? Want to get involved?

• If you want to get involved, or have any question about l10n, reach out to:
  • Delphine – l10n Project Manager for mobile
  • Peiying (CocoMo) – l10n Project Manager for mozilla.org, marketing, and legal
  • Francesco Lodolo (flod) – l10n Project Manager for desktop
  • Th'eo Chevalier – l10n Project Manager for Mozilla Foundation
  • Axel (Pike) – l10n Tech Team Lead
  • Sta's – l20n/FTL tamer
  • Matjaz – Pontoon dev
  • Adrian – Pontoon dev
  • Jeff Beatty (gueroJeff) – l10n-drivers manager
  • Rub'en – Interim L10n community coordinator for Support

Did you enjoy reading this report? Let us know how we can improve by reaching out to any one of the l10n-drivers listed above.

https://blog.mozilla.org/l10n/2019/05/23/l10n-report-may-edition-2/

We announced our glorious return to the “bug bounty club” (projects that run bug bounties) a month ago, and with the curl 7.65.0 release today on May 22nd of 2019 we also ship fixes to security vulnerabilities that were reported within this bug bounty program.

Announcement

Even before we publicly announced the program, it was made public on the Hackerone site. That was obviously enough to get noticed by people and we got the first reports immediately!

We have received 19 reports so far.

Infrastructure scans

Quite clearly some people have some scripts laying around and they do some pretty standard things on projects that pop up on hackerone. We immediately got a number of reports that reported variations of the same two things repeatedly:

1. Our wiki is world editable. In my world I’ve lived under the assumption that this is how a wiki is meant to be but we ended up having to specifically mention this on curl’s hackerone page: yes it is open for everyone on purpose.
2. Sending emails forging them to look like the come from the curl web site might work since our DNS doesn’t have SPF, DKIM etc setup. This is a somewhat better report, but our bounty program is dedicated for and focused on the actual curl and libcurl products. Not our infrastructure.

Bounties!

Within two days of the program’s life time, the first legit report had been filed and then within a few more days a second arrived. They are CVE-2019-5435 and CVE-2019-5436, explained somewhat in my curl 7.65.0 release post but best described in their individual advisories, linked to below.

I’m thrilled to report that these two reporters were awarded money for their findings:

Wenchao Li was awarded 150 USD for finding and reporting CVE-2019-5435.

l00p3r was awarded 200 USD for finding and reporting CVE-2019-5436.

Both these issues were rated severity level “Low” and we consider them rather obscure and not likely to hurt very many users.

Donate to help us fund this!

Please notice that we are entirely depending on donated funds to be able to run this program. If you use curl and benefit from a more secure curl, please consider donating a little something for the cause!

https://daniel.haxx.se/blog/2019/05/22/report-from-the-curl-bounty-program/