Enhance security guidelines for identifying vulnerabilities (#4584)

* Enhance security guidelines for identifying vulnerabilities. It includes a tiered-support-list
* Update issue templates. Follow [the instructions at GitHub Documentation](https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/configuring-issue-templates-for-your-repository#creating-issue-templates) to recreate issue templates. Apply the new format and add new fields.

Author: lum1n0us

.github/ISSUE_TEMPLATE/blank_issue.md

@@ -0,0 +1,41 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: "Add a placeholder for issue title. ex: [BUG]"
+labels: bug
+assignees: ""
+---
+
+**Is it a security vulnerability?**
+If it results in a crash or hang, please refer to [a quick checklist](../../doc/security_need_to_know.md#is-this-bug-considered-a-security-vulnerability) to determine if it is a security vulnerability. If you are still unsure, please report it through [a security advisor](https://github.com/bytecodealliance/wasm-micro-runtime/security/advisories) and allow the maintainer to make a decision. Thank you.
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**Version**
+Information like tags, release version, commits.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+
+1. Compile iwasm with flags like '...'
+2. (Optional) Compile wamrc with flags like '....'
+3. (Optional) Run wamrc with CLI options like '...' to generate .aot
+4. Run iwasm with CLI options like '...'
+5. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Actual Result**
+What you've got.
+
+**Desktop (please complete the following information):**
+
+- Arch [e.g. x86_64, arm64, 32bit]
+- Board [e.g. STM32F407]
+- OS [e.g. Linux, Windows, macOS, FreeRTOS]
+- Version [e.g. 22]
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1 @@
+blank_issues_enabled: true

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: 'Add a placeholder for issue title. ex: [RFC]'
+labels: help wanted
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -11,6 +11,7 @@ on:
       - synchronize
     paths:
       - ".github/**"
+      - "!.github/ISSUE_TEMPLATE/**"
       - "build-scripts/**"
       - "core/**"
       - "!core/deps/**"
@@ -27,6 +28,7 @@ on:
       - "dev/**"
     paths:
       - ".github/**"
+      - "!.github/ISSUE_TEMPLATE/**"
       - "build-scripts/**"
       - "core/**"
       - "!core/deps/**"

.github/ISSUE_TEMPLATE/improvement.md

@@ -20,6 +20,8 @@ add_library(vmlib ${WAMR_RUNTIME_LIB_SOURCE})
 
 The script `runtime_lib.cmake` defines a number of variables for configuring the WAMR runtime features. You can set these variables in your CMakeList.txt or pass the configurations from cmake command line.
 
+Please refer to [a full list of configuration options](./tired_support.md#appendix-all-compilation-flags).
+
 ### **Configure platform and architecture**
 
 - **WAMR_BUILD_PLATFORM**:  set the target platform. It can be set to any platform name (folder name) under folder [core/shared/platform](../core/shared/platform).

.github/ISSUE_TEMPLATE/report_bug.md

@@ -15,19 +15,46 @@ It is commonly stated that a security issue is an issue that:
 
 Given that WASI is a set of Capability-based APIs, all unauthorized actions are not supposed to happen. Most of the above security concerns can be alleviated. What remains for us is to ensure that the execution of Wasm modules is secure. In other words, do not compromise the sandbox. Unless it is explicitly disabled beforehand.
 
-Thus, we share most of the criteria for judging security issues with [the Bytecode Alliance](https://github.com/bytecodealliance/rfcs/blob/main/accepted/what-is-considered-a-security-bug.md#definition).
+### Is this bug considered a security vulnerability?
 
-> [!NOTE]
-> keep updating this document as the project evolves.
+#### For someone who finds a problem
+
+if a bug **results in crash or hang**, please treat it as a security problem and report it to a security advisor. The maintainer will look into it and change its category if needed. It is better safe than sorry.
+
+If the author of an issue(results in crash or hang) can go through the following checklist and answer all questions with "No", it is fine to mark it as a regular bug. If not, please report it as a security issue.
+
+---
+
+#### For those maintainers
+
+please use the following guidelines to determine if a bug or advisory is a security issue:
+
+Only bugs that affect [tier A platforms or features](./tiered_support.md) should be considered.
+
+Actions that differ from Wasm rules (like calculating wrong values) are not seen as security issues as long as they stay within the sandbox.
+
+By default, native APIs and CLIs are following the principle of **caller guarantee**. If the caller provides incorrect parameters or users input malformed options, it is not a security issue. For example, if a user passes an invalid file descriptor to `fd_read`, it is not a security issue.
+
+.wasm are not trusted. Malformed .wasm files should be handled gracefully. If a .wasm file causes a runtime crash or hang, it is a security issue. On the other hand, it's expected that aot runtime alone doesn't provide the same guarantee. So user-crafted .aot can cause anything, including crashes or hangs. They are not considered security issues.
+
+A denial-of-service (DoS) attack is a cyberattack that aims to make a computer or network resource unavailable to its users. If the service (runtime in this case) can recover and start another module or run another function within the same instance, it is not considered unavailable, and thus not a Denial of Service (DoS).
+
+Another type of execution problem we usually do not classify as a security one is if it is caused by an infinite loop or incorrect recursive function call chain.
+
+### When a maintainer identify a problem that should be classified as a security vulnerability
+
+Once a maintainer realizes an issue or PR describes a real or possible security vulnerability, act quickly to minimize exposure. Do not share technical details publicly on the issue or PR anymore. Maintainers should:
+
+- Close or edit the public discussion. Thank the person who reported it and explain that security-related issues should go through the Security Advisory process. Close the public issue or pull request as soon as possible to prevent further public sharing. If details have already been shared, consider editing or asking GitHub staff to remove sensitive content.
+
+- Create a Security Advisory. Invite the reporter to join as a collaborator or reporter. If the reporter is uncomfortable using GitHub Security Advisories, offer another private communication method, such as email.
+
+- Follow the guidelines in [the security issue runbook](./security_issue_runbook.md) for the next steps.
 
 ## reporting a security issue
 
 Follow the [same guidelines](https://bytecodealliance.org/security) as other projects within the Bytecode Alliance.
 
 ## managing a security issue
 
-Before reporting an issue, particularly one related to crashing, consult [the cheat sheet](https://github.com/bytecodealliance/rfcs/blob/main/accepted/what-is-considered-a-security-bug.md#cheat-sheet-is-this-bug-considered-a-security-vulnerability), _Report a security vulnerability_ if it qualifies.
-
-Upon receiving an issue, thoroughly review [the cheat sheet](https://github.com/bytecodealliance/rfcs/blob/main/accepted/what-is-considered-a-security-bug.md#cheat-sheet-is-this-bug-considered-a-security-vulnerability) to assess and _Report a security vulnerability_ if the issue is indeed a security vulnerability.
-
 Once a security issue is confirmed, please refer to [the runbook](./security_issue_runbook.md) for the subsequent steps to take.