From a2591bafa0eb8836f43fd7769ca7f0607c44eedb Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 17 Sep 2020 09:51:28 +0200
Subject: [PATCH] Enhance scope

---
 SECURITY.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
index 2fb045209b4..0bc7c59ac48 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -69,7 +69,10 @@ ONLY vulnerabilities discovered, when the following setup on tested platform is
 * The module DebugBar must NOT be enabled (by default, this module is not enabled. This is a developer tool)
 * The module ModuleBuilder must NOT be enabled (by default, this module is not enabled. This is a developer tool)
 * The constant MAIN_SECURITY_CSRF_WITH_TOKEN must be set to 1 into backoffice menu Home - Setup - Other (this protection should be enabled soon by default)
+* The module ModuleBuilder must NOT be enabled (by default, this module is not enabled. This is a developer tool)
 * ONLY security reports on modules provided by default and with the "stable" status are allowed (troubles into "experimental", "developement" or external modules are not accepted).
+* The root of web server must link to htdocs and the documents directory must be outside of the web server root (this is the default when using the default installer but may differs with external installer).
+* The web server setup must be done so only the documents directory is in write mode. The root directory with htdocs must be readonly.
 
 Scope is the web application (back office) and the APIs.