Update the SECURITY.txt document to clarify security compromise
Clarifies the definition of a security bug in binutils, focusing on direct compromises and vulnerabilities introduced into generated output.
The SECURITY.txt document for binutils was updated to clarify what constitutes a security bug. The update emphasizes that a security bug involves either a direct compromise of security (allowing elevated permissions) or the introduction of a vulnerability in the generated output that wasn’t present in the input. It also highlights that bugs relying on untrusted input must cross a trust boundary to be considered security issues. These changes provide clearer guidelines for reporting and handling security-related issues in binutils.
In Details
This commit updates binutils/SECURITY.txt to clarify the scope of security vulnerabilities. The key addition is the emphasis on a 'direct compromise of security' allowing operations with elevated permissions. This helps to differentiate between general bugs and those with security implications, particularly related to handling untrusted input and trust boundaries, impacting how security issues are classified and addressed within the binutils project.
For Context
The binutils project provides essential tools for software development, including assemblers, linkers, and other utilities. The SECURITY.txt file outlines the project's stance on security vulnerabilities. This update clarifies what types of bugs are considered security-related, focusing on situations where the tools themselves are compromised or introduce vulnerabilities into the software they produce. The clarification helps users and developers understand how security issues are defined and handled within the binutils ecosystem.