luo980/curl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

VULN-DISCLOSURE-POLICY: on legacy dependencies

Browse Source 
Problems that only trigger using *legacy* dependencies are not
considered security problems.

Closes #16086
This commit is contained in:
Daniel Stenberg 2025-01-25 12:04:04 +01:00
parent 35b1c1585b
commit cb4cd36fe7
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
docs/VULN-DISCLOSURE-POLICY.md
View File

@ -322,3 +322,18 @@ that being the end of the world.
There need to be more and special circumstances to treat such problems as
security issues.
## Legacy dependencies
Problems that can be triggered only by the use of a *legacy dependency* are
not considered security problems.
A *legacy dependency* is here defined as:
- the legacy version was released over ten years ago AND
- the legacy version is no longer in use by any existing still supported
operating system or distribution AND
- there are modern versions of equivalent or better functionality offered and
in common use