LLM POLICY

Revised 26 June 2026

We restrict how Large Language Models (LLMs) can be used in the context of our organisation and our projects. If a submission (e.g. PR, issue, comment, forum post, etc.) does not comply with this policy, we may close or delete it without prior notice.

Note

In addition to this policy, you must also comply with our code of conduct and the relevant CONTRIBUTING.md file of the project.

Policy

No output of LLMs in code or documentation

We require all code and documentation contributions to be authored by a human. You must not include content generated by LLMs or other probabilistic tools.

As an exception to this rule, a suggested fix generated by an LLM as part of a vulnerability or bug report may be included, because it can help pinpoint the underlying issue during triage.

Disclose LLM use

We want to interact with humans, not with LLMs. In your interactions with us, be respectful of our time, and disclose the use of an LLM. This includes opening issues, sending vulnerability reports, and posting on our community forum.

Translation can be helpful if English is not your native language. If you use machine translation when communicating with us, we encourage you to disclose such use to us so that both sides are aware of possible miscommunication as a result of mistranslation. Alternatively, you could also write in your native language if you cannot assess the correctness of the translation.

Use of LLM translation is discouraged based on their generative attributes that would most likely confuse rather than ease the discussion.

LLM output remains your responsibility

Your use of LLMs for linting, analysis or review is permitted under this policy. However, you remain responsible for the output of an LLM. If an LLM assists you in finding or analysing an issue, you remain responsible to understand and verify the correctness of the information you share with us.

Examples

LLM-assisted vulnerability reporting

We accept reports of vulnerabilities found with LLMs. With your report, you can include an LLM suggested fix to help us pinpoint the issue. To comply with this policy, after the LLM finds an issue, you as the human contributor verify the issue and the estimated severity. Then, when you send a report to sep@nlnetlabs.nl you must disclose the use of an LLM.

See the security report page for more information on reporting vulnerabilities to us.

PR creation

We do not accept LLM-generated contributions. Any code you submit cannot be generated by an LLM. When you open a PR, use your own words and be concise in the PR description.

In general, you should not open PRs for new features without talking to us first. If you have ideas on how our software could change to accommodate your use-case, please share your own thoughts on our community forum.