Add paragraph on undefined behaviour Add a note that we do aim to protect against undefined behaviour and undefined behaviour in certificate parsing is in scope. Signed-off-by: David Horstmann <david.horstmann@arm.com>

commit: 2c400fc1a2211991522cb3e66c18647f53dac6bf [log] [tgz]
author: David Horstmann <david.horstmann@arm.com> Wed Jan 22 14:48:58 2025 +0000
committer: David Horstmann <david.horstmann@arm.com> Wed Jan 22 14:50:36 2025 +0000
tree: a8bdb1fa8cbbd09ce8ed6f37d3327b153307457c
parent: 110e5341eb322087c9847a9d4041692b5daecb95 [diff]
diff --git a/SECURITY.md b/SECURITY.md
index b4d564e..e6d0bbf 100644
--- a/SECURITY.md
+++ b/SECURITY.md

@@ -149,3 +149,8 @@
 validation is performed separately to ensure that they are compliant to the
 relevant specifications. This makes Mbed TLS on its own unsuitable use in a
 Certificate Authority (CA).
+
+However, Mbed TLS aims to protect against memory corruption and other
+undefined behavior when parsing certificates and CSRs. If a CSR or signed
+certificate causes undefined behavior when it is parsed by Mbed TLS, that
+is considered a security vulnerability.
commit	2c400fc1a2211991522cb3e66c18647f53dac6bf	[log] [tgz]
author	David Horstmann <david.horstmann@arm.com>	Wed Jan 22 14:48:58 2025 +0000
committer	David Horstmann <david.horstmann@arm.com>	Wed Jan 22 14:50:36 2025 +0000
tree	a8bdb1fa8cbbd09ce8ed6f37d3327b153307457c
parent	110e5341eb322087c9847a9d4041692b5daecb95 [diff]