From b937689ba6d45a0d38b5248ff618dc0dceff21ad Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Thu, 20 Nov 2025 15:46:58 +0100
Subject: [PATCH] Add a section about compiler-introduced timing side channels

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 SECURITY.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
index 114dce6a69..ebb53e9962 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -104,6 +104,12 @@ model, they need to be mitigated by physical countermeasures.
 
 ### Caveats
 
+#### Compiler-induced side channels
+
+Mbed TLS is mostly written in C. We use standard C except with known compilers, so we do not expect compilers to introduce direct vulnerabilities. However, compilers can introduce [timing side channels](#timing-attacks) in code that was intended to be constant-time. Mbed TLS includes countermeasures to try to prevent this. But given the diversity of compilers, compiler options and target platforms, this prevention may not be complete.
+
+We recommend compiling Mbed TLS with commonly used levels of optimizations, such as `-O2` or `-Os`. Higher levels of optimization such as `-O3` or `-Oz` are likely to be safe but are less scrutinized. We do not recommend using less vetted optimization options unless your system is physically isolated.
+
 #### Out-of-scope countermeasures
 
 Mbed TLS has evolved organically and a well defined threat model hasn't always