romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-06-24 01:35:40 +03:00
Code Issues Projects Releases Packages Wiki Activity

VULN-DISCLOSURE-POLICY: non-released code

Browse source 
Closes #22025
This commit is contained in:
Daniel Stenberg 2026-06-15 14:03:20 +02:00
parent 0882e3951d
commit b0d733e143
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
1 changed files with 11 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

11
docs/VULN-DISCLOSURE-POLICY.md
View file

@ -384,6 +384,17 @@ For example, a user might pass in a username that looks like
`Mr[CR][LF]Smith`. It may cause some minor havoc in the protocol handling,
depending on what protocol is used.
## Non-released code
Only curl releases are ever considered *secure*. Between releases, we are
under development and then we may have code present in the git repository that
is insecure, but without those flaws being considered as vulnerabilities.
Another reason we strongly suggest you only use curl release versions in
production.
Unreleased code may also contain fixes to problems that were present in the
most recent release.
# curl major incident response
Vulnerability disclosure manages the full life cycle of a vulnerability