docs: add out of scope section to SECURITY.md (#2874)

julian-risch · web-flow · commit 38e6a96cce86 · 2026-02-25T11:51:48.000+01:00
Added a note about the scope of vulnerabilities and the importance of human-reviewed reports.
diff --git a/SECURITY.md b/SECURITY.md
@@ -10,6 +10,17 @@ In your message, please include:
 1. Reproducible steps to trigger the vulnerability.
 2. An explanation of what makes you think there is a vulnerability.
 3. Any information you may have on active exploitations of the vulnerability (zero-day).
+4. An explanation of why you believe the vulnerability is not out of scope. See the Out of Scope section below.
+
+We encourage reports that are meaningful, high-impact, and reviewed by a human before submission. Fully automated or AI-generated reports submitted without human review and validation are unlikely to meet this bar and risk being declined.
+
+## Out of Scope
+
+Haystack is a framework intended to run inside a trusted execution environment. It assumes that the application built with it has already validated and sanitized user-supplied input before passing it to the framework. Validation and sanitization of input, for example URLs, file paths, filter expressions, and queries, are the responsibility of the application, not Haystack.
+
+Any vulnerability that can only be triggered by passing unsanitized, attacker-controlled input to Haystack is considered out of scope. This reflects a conscious design decision after evaluating the trade-offs and risks: as a framework, Haystack cannot and should not enforce input validation on behalf of every application that uses it.
+
+If you are uncertain whether a finding falls within scope, feel free to reach out before submitting a full report.
 
 ## Vulnerability Response
 
