From b14702a3555a4219e47ea59eab1b13295bee6721 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Sun, 31 May 2026 09:50:07 +0200
Subject: [PATCH] [skip ci] Specify unserialize() in security policy (GH-22184)

unserialize() may not receive attacker-controlled inputs according to our
documentation. This is technically already included in the second bullet point,
but common enough to be spelled out.
---
 SECURITY.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
index 8a45d86049ee..24801b3b4e43 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -34,6 +34,8 @@ are not limited to):
 
 - `open_basedir` or `disable_functions` bypasses.
 
+- Malicious `unserialize()` inputs.
+
 # Vulnerability Policy
 
 Our full policy is described at