From 64824e439d5228f6337ce1d8de615457d47c4646 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 18 May 2026 16:05:49 +0200
Subject: [PATCH] VULN-DISCLOSURE-POLICY.md: test code is not secure

Don't tell us about it

Closes #21660
---
 docs/VULN-DISCLOSURE-POLICY.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/docs/VULN-DISCLOSURE-POLICY.md b/docs/VULN-DISCLOSURE-POLICY.md
index 1ce3f4e26d..99fb5577a3 100644
--- a/docs/VULN-DISCLOSURE-POLICY.md
+++ b/docs/VULN-DISCLOSURE-POLICY.md
@@ -254,6 +254,14 @@ security problems.
 The same applies to scripts and software which are not installed by default
 through the make install rule.
 
+## Test code
+
+curl has an extensive test suite with lots of code written specifically to
+exercise and verify curl, libcurl and specific internal functions. The test
+code and its associated test servers are *not* intended for production use.
+They are not secure, you should not assume otherwise and must not report about
+security problems in those.
+
 ## URL inconsistencies
 
 URL parser inconsistencies between browsers and curl are expected and are not