From c693cc02b031d008a36e885bde55963500382930 Mon Sep 17 00:00:00 2001 From: Dan Fandrich Date: Fri, 28 Feb 2025 12:36:14 -0800 Subject: [PATCH] docs: vulnerabilities in debug code are not eligible for a bounty This is code that is off by default and is therefore treated as a regular bug. Ref: #16526 Closes #16527 --- docs/VULN-DISCLOSURE-POLICY.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/VULN-DISCLOSURE-POLICY.md b/docs/VULN-DISCLOSURE-POLICY.md index d0785de8d9..35063053d2 100644 --- a/docs/VULN-DISCLOSURE-POLICY.md +++ b/docs/VULN-DISCLOSURE-POLICY.md @@ -247,11 +247,11 @@ local system or network, the bar is raised. If a local user wrongfully has elevated rights on your system enough to attack curl, they can probably already do much worse harm and the problem is not really in curl. -## Experiments +## Debug & Experiments Vulnerabilities in features which are off by default (in the build) and -documented as experimental, are not eligible for a reward and we do not -consider them security problems. +documented as experimental, or exist only in debug mode, are not eligible for a +reward and we do not consider them security problems. ## URL inconsistencies -- 2.47.2