From 6f4661ce8f65dbc17797d7b55a3020f8b744b1c6 Mon Sep 17 00:00:00 2001 From: George Burgess IV Date: Thu, 22 Jan 2026 17:19:09 -0700 Subject: [PATCH] [SECURITY.md] add pointers to "what is a security issue" (#177372) Over the years, the security group has received a decent number of reports of malicious input causing e.g., Clang to crash. While these reports are valuable, it seems useful to clarify that many of them are considered bugs, rather than security issues. --- SECURITY.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index f6a5e6c01629..558ecb8de498 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -3,3 +3,12 @@ To report security issues in LLVM, please follow the steps outlined on the [LLVM Security Group](https://llvm.org/docs/Security.html#how-to-report-a-security-issue) page. + +## Security Issue Scope + +Many of LLVM's tools are explicitly **not** considered to be hardened against +malicious input. Bugs in LLVM tools like buffer overreads or crashes are +valuable to report [as Issues](https://github.com/llvm/llvm-project/issues), +but aren't always seen as security vulnerabilities. Please see +[our documentation](https://llvm.org/docs/Security.html#what-is-considered-a-security-issue) +for a more precise definition of a security issue in this repository.