An AI-assisted security scan of the curl codebase produced unusually low noise because the scanner read curl's VULN-DISCLOSURE-POLICY.md and automatically demoted findings that fell under the project's own exclusion categories — things like NULL dereferences triggered by a malicious server, small memory leaks, and command-line-dependent bugs. The post argues that well-written security policy files with specific exclusion lists and threat model reasoning can steer agentic scanners before findings ever reach a maintainer's inbox. It surveys prior art from Node.js, Django, and Chrome, and offers practical guidance: maintain a SECURITY.md with a contact address, build an exclusion list with named patterns and reasoning that generalises, and write a short threat model. A new category worth adding is 'documentation not matching behaviour', which AI scanners flag frequently but is only a security issue when the documented behaviour was a relied-upon security guarantee.
Sort: