VULN-DISCLOSURE-POLICY: on legacy dependencies

author Daniel Stenberg <daniel@haxx.se>

Sat, 25 Jan 2025 11:04:04 +0000 (12:04 +0100)

committer Daniel Stenberg <daniel@haxx.se>

Mon, 27 Jan 2025 14:48:13 +0000 (15:48 +0100)
author Daniel Stenberg <daniel@haxx.se>
Sat, 25 Jan 2025 11:04:04 +0000 (12:04 +0100)
committer Daniel Stenberg <daniel@haxx.se>
Mon, 27 Jan 2025 14:48:13 +0000 (15:48 +0100)
diff --git a/docs/VULN-DISCLOSURE-POLICY.md b/docs/VULN-DISCLOSURE-POLICY.md

index e10b48906209ae506daff0cf31b70415d54b6516..d0785de8d9a9abc29da7fe5dc7d2cf3cf0ab8f32 100644 (file)
--- a/docs/VULN-DISCLOSURE-POLICY.md
+++ b/docs/VULN-DISCLOSURE-POLICY.md
@@ -322,3 +322,18 @@ that being the end of the world.
  
  There need to be more and special circumstances to treat such problems as
  security issues.
+
+## Legacy dependencies
+
+Problems that can be triggered only by the use of a *legacy dependency* are
+not considered security problems.
+
+A *legacy dependency* is here defined as:
+
+- the legacy version was released over ten years ago AND
+
+- the legacy version is no longer in use by any existing still supported
+  operating system or distribution AND
+
+- there are modern versions of equivalent or better functionality offered and
+  in common use
author	Daniel Stenberg <daniel@haxx.se>
	Sat, 25 Jan 2025 11:04:04 +0000 (12:04 +0100)
committer	Daniel Stenberg <daniel@haxx.se>
	Mon, 27 Jan 2025 14:48:13 +0000 (15:48 +0100)