It is useful but quite limited by itself for security bugs - it's dynamic instrumentation so you'd need to test with the input triggering the vulnerability. (But useful in combination with fuzzing, similarly to the compiler sanitizer options)