At the Security group round table, we discussed the following topics.
- We had some discussion about threat model: which issues are considered security issues and which ones not?
- As a community, we don’t have an agreed threat model, and we think it would be next to impossible to define a threat model that everyone would agree on.
- As a result, the security group makes judgments on whether a reported issue should be considered a security issue or not on a case by case basis.
- How do vendors get notified of security issues?
- We don’t have a defined mechanism to reach out to all vendors, i.e. people who use LLVM in a product. We also do not have a list of who all vendors are that make use of LLVM.
- The current best way to be sure as a vendor to be informed is to join the security group.
- How does one join the security group?
- The requirements for joining the group are documented at LLVM Security Group — LLVM 16.0.0git documentation. The process to join is documented in the following sections in that document.
- What kind of things have the group done?
- See our transparency reports at LLVM Security Group Transparency Reports — LLVM 16.0.0git documentation