From f05a8b831fc06c05bba5759ef9f737058f7fea63 Mon Sep 17 00:00:00 2001
From: Stephen Berard <stephen.berard@outlook.com>
Date: Tue, 31 Mar 2026 11:45:38 +0200
Subject: [PATCH] Refined guidance around what is a security issue

Signed-off-by: Stephen Berard <stephen.berard@outlook.com>
---
 doc/security_need_to_know.md | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/doc/security_need_to_know.md b/doc/security_need_to_know.md
index 89017f2de..e9bc89039 100644
--- a/doc/security_need_to_know.md
+++ b/doc/security_need_to_know.md
@@ -21,18 +21,16 @@ If the AoT compiler and/or related tools emit an AoT binary that breaches the Wa
 ### Is this bug considered a security vulnerability?
 
 #### For someone who finds a problem
+If a bug **causes a crash or hang**, treat it as a possible security issue and report it to a security advisor. A maintainer will review it and change its category if needed. When in doubt, report it as a security issue.
 
-if a bug **results in crash or hang**, please treat it as a security problem and report it to a security advisor. The maintainer will look into it and change its category if needed. It is better safe than sorry.
+If the person reporting the issue can answer "Yes" to any question in the checklist below, report it as a security issue. Otherwise, the issue can be treated as a regular bug.
 
-If the author of an issue(results in crash or hang) can go through the checklist below and answer all questions with "No", it is fine to mark it as a regular bug. If not, please report it as a security issue.
-
-Does the issue:
-- expose sensitive information to unauthorized parties?
-- allow unauthorized modification of data or system state?
-- affect the availability of the system or its services?
-- permit unauthorized access to the system?
-- enable users to perform actions they should not be able to?
-- allow users to deny actions they have performed?
+Does the issue allow an WebAssembly binary to:
+- break out of the Wasm sandbox?
+- read or modify host memory, runtime memory, or another module's data when it should not?
+- use files, sockets, device access, or other host resources without being the granted capabilities?
+- call host functions or native APIs in a way that bypasses intended checks?
+- make the runtime unavailable or put it into an unrecoverable state?
 
 ---