Security Group round table - LLVM dev meeting summary

At the Security group round table, we discussed the following topics.

  • We had some discussion about threat model: which issues are considered security issues and which ones not?
    • As a community, we don’t have an agreed threat model, and we think it would be next to impossible to define a threat model that everyone would agree on.
    • As a result, the security group makes judgments on whether a reported issue should be considered a security issue or not on a case by case basis.
  • How do vendors get notified of security issues?
    • We don’t have a defined mechanism to reach out to all vendors, i.e. people who use LLVM in a product. We also do not have a list of who all vendors are that make use of LLVM.
    • The current best way to be sure as a vendor to be informed is to join the security group.
  • How does one join the security group?
  • What kind of things have the group done?
1 Like