From 2b16b86bb6a70c88b727a8299cfe0a2fc6c3dba5 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 6 Nov 2023 08:39:29 +0100
Subject: [PATCH] VULN-DISCLOSURE-POLICY: escape sequences are not a security
 flaw

Closes #12278
---
 docs/VULN-DISCLOSURE-POLICY.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/docs/VULN-DISCLOSURE-POLICY.md b/docs/VULN-DISCLOSURE-POLICY.md
index 3ce2203291..631e6a6151 100644
--- a/docs/VULN-DISCLOSURE-POLICY.md
+++ b/docs/VULN-DISCLOSURE-POLICY.md
@@ -283,3 +283,12 @@ and if an attacker can trick the user to run a specifically crafted curl
 command line, all bets are off. Such an attacker can just as well have the
 user run a much worse command that can do something fatal (like
 `sudo rm -rf /`).
+
+## Terminal output and escape sequences
+
+Content that is transferred from a server and gets displayed in a terminal by
+curl may contain escape sequences or use other tricks to fool the user. This
+is curl working as designed and is not a curl security problem. Escape
+sequences, moving cursor, changing color etc, is also frequently used for
+good. To reduce the risk of getting fooled, save files and browse them after
+download using a display method that minimizes risks.