From: Dan Fandrich <dan@coneharvesters.com>
Date: Fri, 28 Feb 2025 20:36:14 +0000 (-0800)
Subject: docs: vulnerabilities in debug code are not eligible for a bounty
X-Git-Tag: curl-8_13_0~313
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c693cc02b031d008a36e885bde55963500382930;p=thirdparty%2Fcurl.git

docs: vulnerabilities in debug code are not eligible for a bounty

This is code that is off by default and is therefore treated as a
regular bug.

Ref: #16526
Closes #16527
---

diff --git a/docs/VULN-DISCLOSURE-POLICY.md b/docs/VULN-DISCLOSURE-POLICY.md
index d0785de8d9..35063053d2 100644
--- a/docs/VULN-DISCLOSURE-POLICY.md
+++ b/docs/VULN-DISCLOSURE-POLICY.md
@@ -247,11 +247,11 @@ local system or network, the bar is raised. If a local user wrongfully has
 elevated rights on your system enough to attack curl, they can probably
 already do much worse harm and the problem is not really in curl.
 
-## Experiments
+## Debug & Experiments
 
 Vulnerabilities in features which are off by default (in the build) and
-documented as experimental, are not eligible for a reward and we do not
-consider them security problems.
+documented as experimental, or exist only in debug mode, are not eligible for a
+reward and we do not consider them security problems.
 
 ## URL inconsistencies