From 98a05d2d78251fad8f9e073705b0c234f65854a5 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 7 Jan 2025 12:04:35 +0100
Subject: [PATCH] security/will-appear.md: mention learning

---
 security/will-appear.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/security/will-appear.md b/security/will-appear.md
index dafbb24..50e01c0 100644
--- a/security/will-appear.md
+++ b/security/will-appear.md
@@ -24,3 +24,15 @@ sure that parts of your audience will react badly.
 They will think that because you published a security vulnerability, your
 project has a bigger problem of insecurity. As if not all actively developed
 projects get these problems, either open or proprietary.
+
+## Learn
+
+Every security incident is a chance to learn. Mistakes are for learning. Why
+did this error slip through and cause this problem? What code pattern can we
+detect or prohibit to prevent this or similar mistakes to happen again?
+
+This is hard. In my experience, most security problems feel like one-offs and
+rare circmstances that happened because of strange changes and your own
+stupidity. Seeing patterns and adjusting ways of working to prevent future
+flaws is difficult work but should always be attempted, to make the most out
+of every CVE.