From 48f0ae23ffa0f09e60808fca821de25d3b53e02e Mon Sep 17 00:00:00 2001
From: chrysn <chrysn@fsfe.org>
Date: Sun, 15 Jan 2023 15:37:05 +0100
Subject: [PATCH] SECURITY: Describe that declassification is an option

---
 SECURITY.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
index a913a339034d..921201410187 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -20,6 +20,14 @@ bottom of this file.
 
 [security-gpg]: https://riot-os.org/assets/keys/security.asc
 
+### Classification of a vulnerability
+
+Unless the reporter explicitly requests not to do so,
+the RIOT security maintainers may declassify an issue
+if the issue is not deemed critical --
+for example when it requires an unlikely combination of circumstances and/or configuration options,
+or when it can only be exploited by a user who gains no additional privileges.
+
 ## Notification of a Vulnerability
 
 After a fix is provided the security issue will be privately disclosed to the