SECURITY: Describe that declassification is an option

2025-12-13 08:33:49 +01:00 · 2023-01-15 15:37:05 +01:00 · 2023-01-15 15:37:05 +01:00 · 48f0ae23ff
commit 48f0ae23ff
parent c8d60a2d31
1 changed files with 8 additions and 0 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@ -20,6 +20,14 @@ bottom of this file.

 [security-gpg]: https://riot-os.org/assets/keys/security.asc

+### Classification of a vulnerability
+
+Unless the reporter explicitly requests not to do so,
+the RIOT security maintainers may declassify an issue
+if the issue is not deemed critical --
+for example when it requires an unlikely combination of circumstances and/or configuration options,
+or when it can only be exploited by a user who gains no additional privileges.
+
 ## Notification of a Vulnerability

 After a fix is provided the security issue will be privately disclosed to the