From 0d015fb3f6f49bb54c08234aeecc962d92adb8ff Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 3 May 2022 08:50:10 +0200
Subject: [PATCH] SECURITY-PROCESS: mention "URL inconsistencies"

... as common problems that are *not* vulns.
---
 docs/SECURITY-PROCESS.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/docs/SECURITY-PROCESS.md b/docs/SECURITY-PROCESS.md
index 345d98ff72..f6e0d31b63 100644
--- a/docs/SECURITY-PROCESS.md
+++ b/docs/SECURITY-PROCESS.md
@@ -188,3 +188,12 @@ already do much worse harm and the problem is not really in curl.
 Vulnerabilities in features which are off by default (in the build) and
 documented as experimental, are not eligible for a reward and we do not
 consider them security problems.
+
+## URL inconsistencies
+
+URL parser inconsistencies between browsers and curl are expected and are not
+considered security vulnerabilities. The WHATWG URL Specification and RFC
+3986+ (the plus meaning that it is an extended version) [are not completely
+interoperable](https://github.com/bagder/docs/blob/master/URL-interop.md).
+
+Obvious parser bugs can still be vulnerabilities of course.
-- 
2.47.3