[gnutls-devel] GnuTLS | cli, serv: make it explicit that they are a testing program (!2086)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Fri Mar 27 18:17:56 CET 2026
Alexander Sosedkin started a new discussion on SECURITY.md: https://gitlab.com/gnutls/gnutls/-/merge_requests/2086#note_3198655749
> # Which issues are security issues
>
> A metric we consult to assessing security vulnerabilities is
> -the [CVSS](https://www.first.org/cvss) metric. Only vulnerabilities
> +the [CVSS](https://www.first.org/cvss) v3.1 metric. Only vulnerabilities
> at the high or critical level are handled with this process. Other
> issues are handled with the normal release process.
>
> +Some of the bundled programs, including gnutls-cli and gnutls-serv,
> +are for testing and diagnostic purposes. Issues reported against those
> +programs are not treated as a vulnerability.
I'd suggest "reported against those programs and not library proper" or "confined to those programs alone", purely so that it's clear that it's fine to send us reproducers using them.
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/2086#note_3198655749
You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/sent_notifications/4-c1q9xmdg5cu0lnn8ecwckg0pc-a84t7/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20260327/723137cc/attachment-0001.html>
More information about the Gnutls-devel
mailing list