From 15a8a777b80edf3398fe045b946a4028aae46d83 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 7 Feb 2026 23:45:27 +0100
Subject: [PATCH] VULN-DISCLOSURE-POLICY.md: mention GitHub quirks

Closes #20541
---
 docs/VULN-DISCLOSURE-POLICY.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/docs/VULN-DISCLOSURE-POLICY.md b/docs/VULN-DISCLOSURE-POLICY.md
index 94cdc1a5ce..f9555320d7 100644
--- a/docs/VULN-DISCLOSURE-POLICY.md
+++ b/docs/VULN-DISCLOSURE-POLICY.md
@@ -99,6 +99,23 @@ announcement.
 - The security webpage on the website should get the new vulnerability
   mentioned.
 
+## GitHub Advisories
+
+We receive *advisories* submitted on GitHub but we consider them to be
+*reports*. Since we want to keep the original report as-is and preserved, we
+cannot use this system to author nor publish the actual final advisory for a
+confirmed vulnerability.
+
+The security reports submitted on GitHub are not published, instead they are
+always closed weather confirmed or not.
+
+Confirmed security reports are instead published as security advisories on the
+curl website in sync with the curl release in which the fix is published for
+the vulnerability.
+
+Unfortunately, GitHub does not allow us to disclose the reports. They can only
+be published as "advisories" - and they are not.
+
 ## security (at curl dot se)
 
 This is a private mailing list for discussions on and about curl security