Add security FAQ entry about external lists
Lists like PSL and HSTS preload are incorporated into Chrome, but
the status of additions/removals in Chrome are not security bugs.
Change-Id: I7bdcabf711606c9896f97ccddf7a96686a4bf5e0
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6216082
Reviewed-by: Alex Gough <[email protected]>
Commit-Queue: Chris Thompson <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1413519}
diff --git a/docs/security/faq.md b/docs/security/faq.md
index 9a46ca8..518aa39 100644
--- a/docs/security/faq.md
+++ b/docs/security/faq.md
@@ -686,6 +686,15 @@
there is a demonstrable way to show a memory corruption. e.g. with a POC causing
crash with ASAN **without the flags above**.
+<a name="TOC-hard-coded-lists"></a>
+### My domain is on the [Public Suffix List / HSTS preload list / etc.] upstream but this is not yet reflected in Chrome! Is this a security bug?
+
+Chrome does not make any guarantees about how soon additions to or removals from
+external lists like the [HSTS preload list](https://hstspreload.org) or the
+[Public Suffix List (PSL)](https://publicsuffix.org/) will be incorporated into Chrome.
+If you believe Chrome's copies of these lists are notably out-of-date, we are
+happy to field bug reports but we do not consider this to be a vulnerability.
+
## Certificates & Connection Indicators
<a name="TOC-Where-are-the-security-indicators-located-in-the-browser-window-"></a>
