> All bugs are security risks - therefore all of them are implicitly
> annotated with the "greppable words".
not all bugs are security risks as not all bugs result in violating a security boundary (i.e., break some information flow control). but let's go with your thought, what would be the greppable words then? for extra bones, explain the security risk of commit 976d167615b64e14bc1491ca51d424e2ba9a5e84.
> Allowing developers untrained in security to add security annotations to
> changes would only add more noise to the commit messages.
so on one hand we have supposedly security conscious developers who do care about the security of the code they produce and/or sign off on, and on the other hand they're untrained in security. as they say, you can't have it both ways ;). second, developers don't need to be trained in security to be able to understand when a PoC exploit demonstrates, say, code execution. and i sure as hell want to know about such fixes.