From bb334dfdde73fba5601565f47572ec10c67bc62b Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 18 Mar 2023 00:08:13 +0100
Subject: [PATCH] SECURITY-PROCESS.md: Busy-loops are not security problems

Closes #10790
---
 docs/SECURITY-PROCESS.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/docs/SECURITY-PROCESS.md b/docs/SECURITY-PROCESS.md
index 89026b6446..1e85805d76 100644
--- a/docs/SECURITY-PROCESS.md
+++ b/docs/SECURITY-PROCESS.md
@@ -260,3 +260,11 @@ security vulnerabilities.
  - virtually every argument can contain sensitive data, depending on use
  - blanking all arguments would make it impractical for users to differentiate
    curl command lines in process listings
+
+## Busy-loops
+
+Busy-loops that consume 100% CPU time but eventually end (perhaps due to a set
+timeout value or otherwise) are not considered security problems. Applications
+are supposed to already handle situations when the transfer loop legitimately
+consumes 100% CPU time, so while a prolonged such busy-loop is a nasty bug, we
+do not consider it a security problem.
-- 
2.47.3