diff --git a/docs/VULN-DISCLOSURE-POLICY.md b/docs/VULN-DISCLOSURE-POLICY.md
index 1ce3f4e26d..99fb5577a3 100644
--- a/docs/VULN-DISCLOSURE-POLICY.md
+++ b/docs/VULN-DISCLOSURE-POLICY.md
@@ -254,6 +254,14 @@ security problems.
 The same applies to scripts and software which are not installed by default
 through the make install rule.
 
+## Test code
+
+curl has an extensive test suite with lots of code written specifically to
+exercise and verify curl, libcurl and specific internal functions. The test
+code and its associated test servers are *not* intended for production use.
+They are not secure, you should not assume otherwise and must not report about
+security problems in those.
+
 ## URL inconsistencies
 
 URL parser inconsistencies between browsers and curl are expected and are not