luo980/curl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

VULN-DISCLOSURE-POLICY: on legacy dependencies

Browse Source 
Problems that only trigger using *legacy* dependencies are not
considered security problems.

Closes #16086
This commit is contained in:
Daniel Stenberg 2025-01-25 12:04:04 +01:00
parent 35b1c1585b
commit cb4cd36fe7
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
docs/VULN-DISCLOSURE-POLICY.md
View File

@ -322,3 +322,18 @@ that being the end of the world.
There need to be more and special circumstances to treat such problems as There need to be more and special circumstances to treat such problems as
security issues. security issues.
## Legacy dependencies
Problems that can be triggered only by the use of a *legacy dependency* are
not considered security problems.
A *legacy dependency* is here defined as:
- the legacy version was released over ten years ago AND
- the legacy version is no longer in use by any existing still supported
operating system or distribution AND
- there are modern versions of equivalent or better functionality offered and
in common use