SECURITY: Describe that declassification is an option

jcjhot · Jan 15, 2023 · 48f0ae2 · 48f0ae2
1 parent c8d60a2
commit 48f0ae2
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -20,6 +20,14 @@ bottom of this file.
 
 [security-gpg]: https://riot-os.org/assets/keys/security.asc
 
+### Classification of a vulnerability
+
+Unless the reporter explicitly requests not to do so,
+the RIOT security maintainers may declassify an issue
+if the issue is not deemed critical --
+for example when it requires an unlikely combination of circumstances and/or configuration options,
+or when it can only be exploited by a user who gains no additional privileges.
+
 ## Notification of a Vulnerability
 
 After a fix is provided the security issue will be privately disclosed to the