VULN-DISCLOSURE-POLICY: NULL dereferences and crashes

If a malicious server can trigger a NULL dereference in curl or
otherwise cause curl to crash (and nothing worse), chances are big that
we do not consider that a security problem.

Closes #13974

diff --git a/.github/scripts/spellcheck.words b/.github/scripts/spellcheck.words
index 869d588ea116c24b2fe5e12a06c3f1b1669e647d..41609d896cd50c310d207d4eda30037908de1325 100644 (file)
--- a/.github/scripts/spellcheck.words
+++ b/.github/scripts/spellcheck.words
@@ -174,6 +174,8 @@ decrypting
 deepcode
 DELE
 DER
+dereference
+dereferences
 deselectable
 deserialization
 Deserialized
@@ -508,8 +510,8 @@ monospace
 MorphOS
 MPE
 MPL
-MPTCP
 mprintf
+MPTCP
 MQTT
 mqtt
 mqtts

diff --git a/docs/VULN-DISCLOSURE-POLICY.md b/docs/VULN-DISCLOSURE-POLICY.md
index 0f89816e0185330ba804fde34f6074a130275f0d..e6d6f345091043691e348d02aaec8aab1951fe2d 100644 (file)
--- a/docs/VULN-DISCLOSURE-POLICY.md
+++ b/docs/VULN-DISCLOSURE-POLICY.md
@@ -298,3 +298,18 @@ is curl working as designed and is not a curl security problem. Escape
 sequences, moving cursor, changing color etc, is also frequently used for
 good. To reduce the risk of getting fooled, save files and browse them after
 download using a display method that minimizes risks.
+
+## NULL dereferences and crashes
+
+If a malicious server can trigger a NULL dereference in curl or otherwise
+cause curl to crash (and nothing worse), chances are big that we do not
+consider that a security problem.
+
+Malicious servers can already cause considerable harm and denial of service
+like scenarios without having to trigger such code paths. For example by
+stalling, being terribly slow or by delivering enormous amounts of data.
+Additionally, applications are expected to handle "normal" crashes without
+that being the end of the world.
+
+There need to be more and special circumstances to treat such problems as
+security issues.