Skip to content

Commit

Permalink
VULN-DISCLOSURE-POLICY: on legacy dependencies
Browse files Browse the repository at this point in the history 
Problems that only trigger using *legacy* dependencies are not
considered security problems.

Closes curl#16086
  • Loading branch information
@bagder
bagder committed Jan 27, 2025
1 parent 35b1c15 commit cb4cd36
Showing 1 changed file with 15 additions and 0 deletions.
15 changes: 15 additions & 0 deletions docs/VULN-DISCLOSURE-POLICY.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -322,3 +322,18 @@ that being the end of the world.

There need to be more and special circumstances to treat such problems as
security issues.

## Legacy dependencies

Problems that can be triggered only by the use of a *legacy dependency* are
not considered security problems.

A *legacy dependency* is here defined as:

- the legacy version was released over ten years ago AND

- the legacy version is no longer in use by any existing still supported
operating system or distribution AND

- there are modern versions of equivalent or better functionality offered and
in common use

0 comments on commit cb4cd36

Please sign in to comment.