Please do not open a public issue.

Report security issues privately via one of:

1. GitHub's private vulnerability reporting: https://github.com/ruifm/llvm-dev/security/advisories/new (preferred)
2. Email: report@ruimarques.xyz

Please include:

• A clear description of the issue
• Steps to reproduce
• Affected version / commit
• Impact assessment (what can an attacker do?)

You'll receive an acknowledgement within a week. If you haven't heard back, feel free to follow up.

This repo provides a container-based dev environment. Areas where security bugs are plausible:

• Container escape / privilege escalation via Containerfile contents or podman invocation flags
• Supply-chain issues from unpinned dependencies
• Shell injection in justfile recipes that pass user input to podman, git, or downstream tools
• _install_gitignore or _init writing to the wrong file

Out of scope:

• Vulnerabilities in upstream llvm-project — report those to llvm/llvm-project.
• Vulnerabilities in third-party tools pulled in by the Containerfile (clang, podman, distcc, …) — report those upstream.

Only main is supported. This project has no release train yet; security fixes land on main and users pull via just overlay-update.

Issues are disclosed publicly once a fix is available on main and users have had a reasonable window (typically 7–14 days) to update. Credit goes to the reporter unless they prefer anonymity.