SECURITY.txt: Drop "exploitable" in reference to hardening issues

The "exploitable vulnerability" may lead to a misunderstanding that missed hardening issues are considered vulnerabilities, just that they're not exploitable. This is not true, since while hardening bugs may be security-relevant, the absence of hardening does not make a program any more vulnerable to exploits than without. Drop the "exploitable" word to make it clear that missed hardening is not considered a vulnerability. Signed-off-by: Siddhesh Poyarekar <siddhesh@gotplt.org> ChangeLog: * SECURITY.txt: Drop "exploitable" in the hardening section.
2023-12-18 09:35:06 -05:00 · 2023-12-18 09:35:06 -05:00 · e9f2c6d260
commit e9f2c6d260
parent b7e5a29602
1 changed files with 4 additions and 4 deletions
--- a/SECURITY.txt
+++ b/SECURITY.txt
@ -155,10 +155,10 @@ Security features implemented in GCC
    GCC implements a number of security features that reduce the impact
    of security issues in applications, such as -fstack-protector,
    -fstack-clash-protection, _FORTIFY_SOURCE and so on.  A failure of
-    these features to function perfectly in all situations is not an
+    these features to function perfectly in all situations is not a
-    exploitable vulnerability in itself since it does not affect the
+    vulnerability in itself since it does not affect the correctness of
-    correctness of programs.  Further, they're dependent on heuristics
+    programs.  Further, they're dependent on heuristics and may not
-    and may not always have full coverage for protection.
+    always have full coverage for protection.
    Similarly, GCC may transform code in a way that the correctness of
    the expressed algorithm is preserved, but supplementary properties