From: Willy Tarreau Date: Sun, 31 May 2026 22:46:21 +0000 (+0200) Subject: DOC: security: also add a note to exclude dev/ and admin/ X-Git-Tag: v3.4.0~39 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=41a20c1738110123ea9c543162357d55e81ded69;p=thirdparty%2Fhaproxy.git DOC: security: also add a note to exclude dev/ and admin/ These ones are not intended for production so they're out of scope. This also fixes a paragraph formatting issue left after a fix. --- diff --git a/doc/security.txt b/doc/security.txt index 64be7499f..bd218d9ec 100644 --- a/doc/security.txt +++ b/doc/security.txt @@ -15,6 +15,10 @@ handful of security officers; anything shared there remains private. Please include a reproducer, and ideally a proposed and tested patch, as well as a valid name under which the report can be credited. +Auxiliary tools in dev/ and admin/ are not intended for production use and are +by nature out of the security scope. Please report bugs affecting them via the +regular channels. + We usually don't use embargoes: once a fix is available it simply gets merged. In rare circumstances a release may be coordinated with software vendors, but this disrupts everyone's work and rushed releases can introduce new bugs, so it @@ -24,11 +28,11 @@ credited way to report an issue is to provide a working fix, which will appear in the changelogs. Findings produced with the help of AI MUST be accompanied by a working, tested -patch. Such tools routinely report issues that -are out of scope (see the threat model above) or simply not real, and reviewing -them by hand wastes the very time and trust this process depends on. A -model-generated report that arrives without a verified reproducer and a fix will -generally not be processed. +patch. Such tools routinely report issues that are out of scope (see the +threat model above) or simply not real, and reviewing them by hand wastes the +very time and trust this process depends on. A model-generated report that +arrives without a verified reproducer and a fix will generally not be +processed. See also: - doc/internals/threat-model.txt : what qualifies as a vulnerability