[tialaramex]

> not all bugs are security vulnerabilities

I think to make such a claim you need to specify attack model constraints. With an unconstrained model all bugs in a library are in fact security vulnerabilities.

This does depend on a very narrow reading of what constitutes a bug, for example I would not consider it a bug per se if a function does something that you wouldn't expect (and which perhaps the developers didn't intend) but does strictly match the documentation.

The problem is that the application software developer may depend upon documented features of your library in ways you didn't anticipate and if those documents are wrong (because of a bug) then you can't be sure it hasn't got security implications somewhere.