PDFBOX-6208: clarify sandbox is not a PDFBox provided one

Maruan Sahyoun · Maruan Sahyoun · commit deccb270b0c9 · 2026-05-28T19:16:04.000Z
git-svn-id: https://svn.apache.org/repos/asf/pdfbox/trunk@1934732 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/SECURITY.md b/SECURITY.md
@@ -21,10 +21,11 @@ PDFBox supports processing of untrusted (potentially malicious or malformed)
 PDF files **to a limited degree**:
 
 - **In scope**: Remote code execution, privilege escalation, unauthorized data
-  access, sandbox escape, or disproportionate resource amplification (i.e.
-  small attacker-controlled inputs triggering catastrophic memory or CPU
-  consumption) caused by processing an untrusted PDF document. These are
-  genuine vulnerabilities and should be reported privately.
+  access, escape from an embedding application's sandbox or security boundary,
+  or disproportionate resource amplification (i.e. small attacker-controlled
+  inputs triggering catastrophic memory or CPU consumption) caused by processing
+  an untrusted PDF document. These are genuine vulnerabilities and should be
+  reported privately.
 
 - **Known limitations (not vulnerabilities)**: Malformed PDFs may cause
   unchecked exceptions such as `NullPointerException` or `StackOverflowError`,
