[llvm] Improve description of what is considered a security issue (PR #147035)
George Burgess IV via llvm-commits
llvm-commits at lists.llvm.org
Thu Jul 10 10:28:10 PDT 2025
================
@@ -204,10 +205,9 @@ The LLVM Security Policy may be changed by majority vote of the LLVM Security Re
What is considered a security issue?
----------------
gburgessiv wrote:
I wonder if it would be helpful to add a concise tl;dr here?
```
**tl;dr**: Generally speaking, most security issues will be focused on
_a bug or deficiency in LLVM tooling_ that leads to an increased attack
surface in _artifacts produced by said tooling_. Moreover, a buffer
overflow in well-defined usage of libcxx is very likely to be a security
issue, as this defect may lead to vulnerabilities in well-formed code that
uses libcxx. An arbitrary buffer overflow in Clang's frontend is less likely
to be considered a security issue, as the most likely outcome is that it
leads to a Clang crash, which most often just leads to a build failure.
```
Admittedly, "artifacts" isn't as precise as I'd like it to be, but maybe a bit of iteration on ^ can help us set the tone for this section?
https://github.com/llvm/llvm-project/pull/147035
More information about the llvm-commits
mailing list