From: Daniel Gustafsson <daniel@yesql.se>
Date: Fri, 27 Jun 2025 10:08:01 +0000 (+0200)
Subject: VULN-DISCLOSURE-POLICY: exclude not installed software
X-Git-Tag: curl-8_15_0~141
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=86eb0542861e6bfabbde41b514bb889db2427333;p=thirdparty%2Fcurl.git

VULN-DISCLOSURE-POLICY: exclude not installed software

Flaws in any script or compiled artifact which isn't installed by
default is not considered to be security vulnerabilities.

Closes #17761
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
---

diff --git a/docs/VULN-DISCLOSURE-POLICY.md b/docs/VULN-DISCLOSURE-POLICY.md
index 9dd349298e..ed2827bf2d 100644
--- a/docs/VULN-DISCLOSURE-POLICY.md
+++ b/docs/VULN-DISCLOSURE-POLICY.md
@@ -253,6 +253,9 @@ Vulnerabilities in features which are off by default (in the build) and
 documented as experimental, or exist only in debug mode, are not eligible for a
 reward and we do not consider them security problems.
 
+The same applies to scripts and software which are not installed by default by
+the make install rule.
+
 ## URL inconsistencies
 
 URL parser inconsistencies between browsers and curl are expected and are not