SECURITY.md: make it explicit that testing programs are out of scope

author Daiki Ueno <ueno@gnu.org>

Fri, 27 Mar 2026 01:24:13 +0000 (10:24 +0900)

committer Daiki Ueno <ueno@gnu.org>

Sun, 29 Mar 2026 00:18:50 +0000 (09:18 +0900)
author Daiki Ueno <ueno@gnu.org>
Fri, 27 Mar 2026 01:24:13 +0000 (10:24 +0900)
committer Daiki Ueno <ueno@gnu.org>
Sun, 29 Mar 2026 00:18:50 +0000 (09:18 +0900)
diff --git a/SECURITY.md b/SECURITY.md

index 26d3e8457bbe2687d0fc4627ed97b7b1598771ef..4a28e9231e0e4622d97bf14b7f6be689e0214217 100644 (file)
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -13,6 +13,10 @@ the [CVSS](https://www.first.org/cvss) metric. Only vulnerabilities
  at the high or critical level are handled with this process. Other
  issues are handled with the normal release process.
  
+Some of the bundled programs, including gnutls-cli and gnutls-serv,
+are for testing and diagnostic purposes. Issues reported against those
+programs and not library proper are not treated as a vulnerability.
+
  # Committing a fix
  
  The fix when is made available, preferably within 1 month of the report,
author	Daiki Ueno <ueno@gnu.org>
	Fri, 27 Mar 2026 01:24:13 +0000 (10:24 +0900)
committer	Daiki Ueno <ueno@gnu.org>
	Sun, 29 Mar 2026 00:18:50 +0000 (09:18 +0900)