NLnet Labs - LLM Policy
LLM POLICY
Revised 26 June 2026
We restrict how Large Language Models (LLMs) can be used in the context of our<br>organisation and our projects. If a submission (e.g. PR, issue, comment, forum<br>post, etc.) does not comply with this policy, we may close or delete it without<br>prior notice.
Note
In addition to this policy, you must also comply with our<br>code of conduct and the relevant<br>CONTRIBUTING.md file of the project.
Policy
No output of LLMs in code or documentation
We require all code and documentation contributions to be authored by a human.<br>You must not include content generated by LLMs or other probabilistic tools.
As an exception to this rule, a suggested fix generated by an LLM as part of a<br>vulnerability or bug report may be included, because it can help pinpoint the<br>underlying issue during triage.
Disclose LLM use
We want to interact with humans, not with LLMs. In your interactions with us,<br>be respectful of our time, and disclose the use of an LLM. This includes opening<br>issues, sending vulnerability reports, and posting on our community forum.
Translation can be helpful if English is not your native language. If you use<br>machine translation when communicating with us, we encourage you to disclose<br>such use to us so that both sides are aware of possible miscommunication as a<br>result of mistranslation. Alternatively, you could also write in your native<br>language if you cannot assess the correctness of the translation.
Use of LLM translation is discouraged based on their generative attributes that<br>would most likely confuse rather than ease the discussion.
LLM output remains your responsibility
Your use of LLMs for linting, analysis or review is permitted under this policy.<br>However, you remain responsible for the output of an LLM. If an LLM assists you<br>in finding or analysing an issue, you remain responsible to understand and<br>verify the correctness of the information you share with us.
Examples
LLM-assisted vulnerability reporting
We accept reports of vulnerabilities found with LLMs. With your report, you can<br>include an LLM suggested fix to help us pinpoint the issue. To comply with this<br>policy, after the LLM finds an issue, you as the human contributor verify the<br>issue and the estimated severity. Then, when you send a report to<br>sep@nlnetlabs.nl you must disclose the use of an LLM.
See the security report page for more information on<br>reporting vulnerabilities to us.
PR creation
We do not accept LLM-generated contributions. Any code you submit cannot be<br>generated by an LLM. When you open a PR, use your own words and be concise in<br>the PR description.
In general, you should not open PRs for new features without talking to us first.<br>If you have ideas on how our software could change to accommodate your use-case,<br>please share your own thoughts on our<br>community forum.
Stichting NLnet Labs
Science Park 400, 1098 XH Amsterdam, The Netherlands
General contact address: labs@nlnetlabs.nl
For product support please use our community forum.
NLnet Labs is a non-profit Public Benefit Organisation (Algemeen Nut Beogende Instelling or ANBI).
© 2026 Stichting NLnet Labs