From 86eb0542861e6bfabbde41b514bb889db2427333 Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <daniel@yesql.se>
Date: Fri, 27 Jun 2025 12:08:01 +0200
Subject: [PATCH] VULN-DISCLOSURE-POLICY: exclude not installed software

Flaws in any script or compiled artifact which isn't installed by
default is not considered to be security vulnerabilities.

Closes #17761
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
---
 docs/VULN-DISCLOSURE-POLICY.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/docs/VULN-DISCLOSURE-POLICY.md b/docs/VULN-DISCLOSURE-POLICY.md
index 9dd349298e..ed2827bf2d 100644
--- a/docs/VULN-DISCLOSURE-POLICY.md
+++ b/docs/VULN-DISCLOSURE-POLICY.md
@@ -253,6 +253,9 @@ Vulnerabilities in features which are off by default (in the build) and
 documented as experimental, or exist only in debug mode, are not eligible for a
 reward and we do not consider them security problems.
 
+The same applies to scripts and software which are not installed by default by
+the make install rule.
+
 ## URL inconsistencies
 
 URL parser inconsistencies between browsers and curl are expected and are not