From a4d8fd7a2a6b799a8e8064c11cefcd9b5c7ec1c9 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 26 May 2026 09:09:24 +0200 Subject: [PATCH] VULN-DISCLOSURE-POLICY.md: emphasize the no email thank you part Closes #21747 --- docs/VULN-DISCLOSURE-POLICY.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/VULN-DISCLOSURE-POLICY.md b/docs/VULN-DISCLOSURE-POLICY.md index 4ff284e43f..379a6d0da5 100644 --- a/docs/VULN-DISCLOSURE-POLICY.md +++ b/docs/VULN-DISCLOSURE-POLICY.md @@ -36,6 +36,10 @@ announcement. [HackerOne](https://hackerone.com/curl). Issues filed there reach a handful of selected and trusted people. +- The curl project cannot handle vulnerability reports sent to us over email. + We lose track of the reports. We cannot easily disclose them. Please do not + send us reports over email. + - Messages that do not relate to the reporting or managing of an undisclosed security vulnerability in curl or libcurl are ignored and no further action is required.