From: Siddhesh Poyarekar Date: Mon, 18 Dec 2023 14:35:06 +0000 (-0500) Subject: SECURITY.txt: Drop "exploitable" in reference to hardening issues X-Git-Tag: basepoints/gcc-15~3071 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e9f2c6d260e3f07b5144d175248e2c8788857c96;p=thirdparty%2Fgcc.git SECURITY.txt: Drop "exploitable" in reference to hardening issues The "exploitable vulnerability" may lead to a misunderstanding that missed hardening issues are considered vulnerabilities, just that they're not exploitable. This is not true, since while hardening bugs may be security-relevant, the absence of hardening does not make a program any more vulnerable to exploits than without. Drop the "exploitable" word to make it clear that missed hardening is not considered a vulnerability. Signed-off-by: Siddhesh Poyarekar ChangeLog: * SECURITY.txt: Drop "exploitable" in the hardening section. --- diff --git a/SECURITY.txt b/SECURITY.txt index b3e2bbfda909..126603d4c228 100644 --- a/SECURITY.txt +++ b/SECURITY.txt @@ -155,10 +155,10 @@ Security features implemented in GCC GCC implements a number of security features that reduce the impact of security issues in applications, such as -fstack-protector, -fstack-clash-protection, _FORTIFY_SOURCE and so on. A failure of - these features to function perfectly in all situations is not an - exploitable vulnerability in itself since it does not affect the - correctness of programs. Further, they're dependent on heuristics - and may not always have full coverage for protection. + these features to function perfectly in all situations is not a + vulnerability in itself since it does not affect the correctness of + programs. Further, they're dependent on heuristics and may not + always have full coverage for protection. Similarly, GCC may transform code in a way that the correctness of the expressed algorithm is preserved, but supplementary properties