From 00baacb26c8e669d12c480a59274e7dc541fb82a Mon Sep 17 00:00:00 2001
From: shamoon <4887959+shamoon@users.noreply.github.com>
Date: Tue, 23 Jun 2026 23:37:55 -0700
Subject: [PATCH] Update SECURITY.md to clarify design choice

---
 SECURITY.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/SECURITY.md b/SECURITY.md
index 14e6d43ac..a7eafcc40 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -63,6 +63,7 @@ The following are not generally considered vulnerabilities unless accompanied by
 - optional webhook, mail, AI, OCR, or integration behavior described without a product-level vulnerability
 - missing limits or hardening settings presented without concrete impact
 - generic AI or static-analysis output that is not confirmed against the current codebase and a real deployment scenario
+- the ability to attach objects that a user cannot access to a document by ID is an intentional design choice, and not considered a vulnerability
 
 ## Transparency