From 58771cf4f3f45ccce41e9309427df557c86ce81f Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 26 Jun 2026 16:23:08 +0200 Subject: [PATCH] VULN-DISCLOSURE-POLICY.md: issues that should be found by tests are LOW Closes #22190 --- docs/VULN-DISCLOSURE-POLICY.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/VULN-DISCLOSURE-POLICY.md b/docs/VULN-DISCLOSURE-POLICY.md index a115ee1716..847579edb5 100644 --- a/docs/VULN-DISCLOSURE-POLICY.md +++ b/docs/VULN-DISCLOSURE-POLICY.md @@ -183,6 +183,10 @@ trigger. Due to timing, platform requirements or the fact that options or protocols involved are rare etc. [Past example](https://curl.se/docs/CVE-2022-43552.html) +Issues that are likely to be detected by basic testing are likely to not be +considered more severe than **Low**. Users that do not test cannot be expected +to have secure setups to begin with. + ## Medium This is a security problem that is less hard than **Low** to exploit or