Update SECURITY.md to clarify design choice

2026-06-28 08:14:17 +00:00 · 2026-06-23 23:37:55 -07:00
parent 63c19e7f75
commit 00baacb26c
1 changed files with 1 additions and 0 deletions
@@ -63,6 +63,7 @@ The following are not generally considered vulnerabilities unless accompanied by
 - optional webhook, mail, AI, OCR, or integration behavior described without a product-level vulnerability
 - missing limits or hardening settings presented without concrete impact
 - generic AI or static-analysis output that is not confirmed against the current codebase and a real deployment scenario
+- the ability to attach objects that a user cannot access to a document by ID is an intentional design choice, and not considered a vulnerability

 ## Transparency