[llvm-dev] [RFC] LLVM Security Group and Process

[Tim Northover via llvm-dev]

On Mon, 25 Nov 2019 at 15:36, James Y Knight via llvm-dev
<llvm-dev at lists.llvm.org> wrote:
> What I want is for it to be clear that certain kinds of issues are currently explicitly out-of-scope. E.g. crashes/code-execution/etc resulting from parsing or compiling untrusted C source-code with Clang, or parsing/compiling untrusted bitcode with LLVM, or linking untrusted files with LLD. These sorts of things should not, currently, be treated with a "security" mindset. They're bugs, which should be fixed, but if something's security depends on llvm being able to securely process untrusted inputs, sorry, that's not reasonable. (And yes, that's maybe sad, but is the reality right now). Until someone is willing to put in the significant effort to make those processes generally secure for use on untrusted inputs, handling individual bug-reports of this kind via a special process is not going to realistically improve security.

I agree 100% with this. LLVM is not secure in that way. Treating that
kind of report as a serious security issue would just be security
theatre and give the impression the project is developed with
different goals than many people writing the code (including me)
actually have. Moving to a world where it's reasonable to make those
crashes a security issue won't even be substantially helped by that
kind of whack-a-mole approach.

Cheers.

Tim.