From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 25 Jan 2025 11:04:04 +0000 (+0100)
Subject: VULN-DISCLOSURE-POLICY: on legacy dependencies
X-Git-Tag: curl-8_12_0~40
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cb4cd36fe7183b2f289b40be6e38c1442925ab18;p=thirdparty%2Fcurl.git

VULN-DISCLOSURE-POLICY: on legacy dependencies

Problems that only trigger using *legacy* dependencies are not
considered security problems.

Closes #16086
---

diff --git a/docs/VULN-DISCLOSURE-POLICY.md b/docs/VULN-DISCLOSURE-POLICY.md
index e10b489062..d0785de8d9 100644
--- a/docs/VULN-DISCLOSURE-POLICY.md
+++ b/docs/VULN-DISCLOSURE-POLICY.md
@@ -322,3 +322,18 @@ that being the end of the world.
 
 There need to be more and special circumstances to treat such problems as
 security issues.
+
+## Legacy dependencies
+
+Problems that can be triggered only by the use of a *legacy dependency* are
+not considered security problems.
+
+A *legacy dependency* is here defined as:
+
+- the legacy version was released over ten years ago AND
+
+- the legacy version is no longer in use by any existing still supported
+  operating system or distribution AND
+
+- there are modern versions of equivalent or better functionality offered and
+  in common use