On Mon, 11 May 2026 at 18:06, Alex Bennée <[email protected]> wrote: > > This was written initially written by ECA based on its understanding of the > code base. I then expanded it with links to the various documents and > the general coding style. > > Signed-off-by: Alex Bennée <[email protected]>
> +## Security Policy > +You MUST NOT report potential security vulnerabilities in public trackers > +(like GitLab issues). Refer to `docs/system/security.rst` for the project's > +security stance. In brief: > +- **Virtualization Use Case**: (with KVM/HVF and specific machine types) is > + the focus of security support. > +- **Non-virtualization Use Case**: (TCG) does not currently provide guest > + isolation guarantees. > +- **Reporting**: Report vulnerabilities privately to > `[email protected]`. I feel like the important thing we want to point out to agents is that not all "this crashes / asserts / overruns a buffer" bugs are security issues. As it stands I feel like this text is going to steer them pretty strongly towards throwing anything and everything at qemu-security@, including bugs which we don't consider security issues. What we want ideally is to give instructions that will make the LLM itself do the initial "is this covered by the security policy" triage. thanks -- PMM
