Commit c4105b6243e for php.net

commit c4105b6243e8c0ae6882e847414df5930ac45ac7
Author: Ilija Tovilo <ilija.tovilo@me.com>
Date:   Fri May 22 15:57:28 2026 +0200

    [skip ci] Add classification section to SECURITY.md (GH-22109)

    According to Volker, AI models respect this file when evaluating security
    issues. While we do link to php/policies:security-classification.rst, this
    clearly isn't enough to stop the frequent false-positive reports.

    I copied any relevant items from security-classification.rst, but also reworded
    them to be more explicit.

diff --git a/SECURITY.md b/SECURITY.md
index deb5a7a950a..8a45d86049e 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -11,6 +11,29 @@ Vulnerability reports remain private until published. When published, you will
 be credited as a contributor, and your contribution will reflect the MITRE
 Credit System.

+# Classification
+
+Issues commonly reported that are _not_ considered security issues include (but
+are not limited to):
+
+- Invocation of specially crafted, malicious code intended to cause memory
+  violations. This commonly includes malicious error handlers, destructors or
+  `__toString()` functions. PHP does not offer sandboxing, and the execution of
+  untrusted code is always considered unsafe. Such issues are bugs, but not
+  security issues. They may still be reported, though please avoid reporting
+  the known issues.
+
+- Passing malicious arguments to functions clearly not intended to receive
+  unsanitized values, e.g. `mysqli_query()`. `escapeshellarg()` on the other
+  hand should clearly be hardened against unsafe inputs.
+
+- The use of legacy APIs or settings known to be insecure, particularly those
+  documented as such, or those with a secure alternative.
+
+- The use of FFI.
+
+- `open_basedir` or `disable_functions` bypasses.
+
 # Vulnerability Policy

 Our full policy is described at