VULN-DISCLOSURE-POLICY.md: test code is not secure

author Daniel Stenberg <daniel@haxx.se>

Mon, 18 May 2026 14:05:49 +0000 (16:05 +0200)

committer Daniel Stenberg <daniel@haxx.se>

Mon, 18 May 2026 14:19:06 +0000 (16:19 +0200)
author Daniel Stenberg <daniel@haxx.se>
Mon, 18 May 2026 14:05:49 +0000 (16:05 +0200)
committer Daniel Stenberg <daniel@haxx.se>
Mon, 18 May 2026 14:19:06 +0000 (16:19 +0200)
diff --git a/docs/VULN-DISCLOSURE-POLICY.md b/docs/VULN-DISCLOSURE-POLICY.md

index 1ce3f4e26d4d9ee634176b61203f2604b958e7a5..99fb5577a3d1d00e5b9fab3a7f7cae75ace99fa4 100644 (file)
--- a/docs/VULN-DISCLOSURE-POLICY.md
+++ b/docs/VULN-DISCLOSURE-POLICY.md
@@ -254,6 +254,14 @@ security problems.
  The same applies to scripts and software which are not installed by default
  through the make install rule.
  
+## Test code
+
+curl has an extensive test suite with lots of code written specifically to
+exercise and verify curl, libcurl and specific internal functions. The test
+code and its associated test servers are *not* intended for production use.
+They are not secure, you should not assume otherwise and must not report about
+security problems in those.
+
  ## URL inconsistencies
  
  URL parser inconsistencies between browsers and curl are expected and are not
author	Daniel Stenberg <daniel@haxx.se>
	Mon, 18 May 2026 14:05:49 +0000 (16:05 +0200)
committer	Daniel Stenberg <daniel@haxx.se>
	Mon, 18 May 2026 14:19:06 +0000 (16:19 +0200)