RFC: Updating the Binutils SECURITY.txt document
Project / Subsystem
binutils / rfc
Date
2026-05-06
Proposer
Nick Clifton <nickc@redhat.com>
Source type
public_inbox
Consensus
Proposed
Sentiment
—/10
Technical tradeoffs
- • Reduces noise from automated fuzzing, but may miss subtle vulnerabilities.
- • Requires a clear definition of 'trust boundary' to avoid ambiguity.
All attributes
- project
- binutils
- subsystem
- rfc
- patch_id
- —
- discussion_id
- 87qzno3ip4.fsf@redhat.com
- source_type
- public_inbox
- title
- RFC: Updating the Binutils SECURITY.txt document
- headline
- RFC: Update Binutils SECURITY.txt to Exclude Fuzzer-Induced Crashes
- tldr
- Binutils SECURITY.txt will clarify that crashes from fuzzed binaries, without a breach of trust boundary, are not security bugs.
- proposer
- Nick Clifton <nickc@redhat.com>
- consensus
- Proposed
- outcome
- proposed
- sentiment_score
- —
- technical_tradeoffs
-
- • Reduces noise from automated fuzzing, but may miss subtle vulnerabilities.
- • Requires a clear definition of 'trust boundary' to avoid ambiguity.
- series_id
- —
- series_role
- standalone
- series_parts
- []
- tags
-
- • binutils
- • security
- • fuzzing
- • CVE
- bugzilla_url
- —
- date
- 2026-05-06T00:00:00.000Z
RFC: Updating the Binutils SECURITY.txt document
Nick Clifton proposes updating the binutils SECURITY.txt document to clarify that crashes caused by fuzzed input, without demonstrating a breach of a trust boundary (e.g., code execution as another user), will not be considered security bugs. They also want to clarify that binutils tools are not intended for network services, so denial-of-service attacks are not relevant. This aims to reduce the number of reported CVEs for fuzzer-induced crashes.