Peter Maydell <[email protected]> writes: > On Mon, 11 May 2026 at 18:06, Alex Bennée <[email protected]> wrote: >> >> This was written initially written by ECA based on its understanding of the >> code base. I then expanded it with links to the various documents and >> the general coding style. >> >> Signed-off-by: Alex Bennée <[email protected]> > >> +## Security Policy >> +You MUST NOT report potential security vulnerabilities in public trackers >> +(like GitLab issues). Refer to `docs/system/security.rst` for the project's >> +security stance. In brief: >> +- **Virtualization Use Case**: (with KVM/HVF and specific machine types) is >> + the focus of security support. >> +- **Non-virtualization Use Case**: (TCG) does not currently provide guest >> + isolation guarantees. >> +- **Reporting**: Report vulnerabilities privately to >> `[email protected]`. > > I feel like the important thing we want to point out to agents is > that not all "this crashes / asserts / overruns a buffer" bugs > are security issues. As it stands I feel like this text is > going to steer them pretty strongly towards throwing anything > and everything at qemu-security@, including bugs which we > don't consider security issues. What we want ideally is to > give instructions that will make the LLM itself do the > initial "is this covered by the security policy" triage.
I think for that we should augment the triage skill itself. > > thanks > -- PMM -- Alex Bennée Virtualisation Tech Lead @ Linaro
