←back to thread

Compiler Options Hardening Guide for C and C++

(best.openssf.org)
232 points pjmlp | 2 comments | 31 Mar 25 11:01 UTC | HN request time: 0.451s | source
1. grandempire ◴[31 Mar 25 14:30 UTC] No.43535490[source]
> Our threat model is that all software developers make mistakes, and sometimes those mistakes lead to vulnerabilities

That’s not a threat model. What are the attackers going to do if there are vulnerabilities in your executable? Is it connected to a web server?

Does it have access to privileged resources?

replies(1): >>43536014 #
2. steveklabnik ◴[31 Mar 25 15:17 UTC] No.43536014[source]
They're using it in the sense of "the scope of this document covers this scenario," so the answer to all of your questions are out of scope.