diff options
| author | Ahmed Bougacha <ahmed@bougacha.org> | 2021-04-20 10:31:26 -0700 |
|---|---|---|
| committer | Ahmed Bougacha <ahmed@bougacha.org> | 2021-05-19 15:21:50 -0700 |
| commit | c9dbaa4c86d29f891e2c30af787dfb74b9e83ed9 (patch) | |
| tree | ed7c0684487a3d5ced83548ac5aeeb0a2ee5a2b5 | |
| parent | 4bf69fb52b3c445ddcef5043c6b292efd14330e0 (diff) | |
| download | llvm-c9dbaa4c86d29f891e2c30af787dfb74b9e83ed9.tar.gz | |
[docs] Describe reporting security issues on the chromium tracker.
To track security issues, we're starting with the chromium bug tracker
(using the llvm project there).
We considered using Github Security Advisories. However, they are
currently intended as a way for project owners to publicize their
security advisories, and aren't well-suited to reporting issues.
This also moves the issue-reporting paragraph to the beginning of the
document, in part to make it more discoverable, in part to allow the
anchor-linking to actually display the paragraph at the top of the page.
Note that this doesn't update the concrete list of security-sensitive
areas, which is still an open item. When we do, we may want to move the
list of security-sensitive areas next to the issue-reporting paragraph
as well, as it seems like relevant information needed in the reporting
process.
Finally, when describing the discission medium, this splits the topics
discussed into two: the concrete security issues, discussed in the
issue tracker, and the logistics of the group, in our mailing list,
as patches on public lists, and in the monthly sync-up call.
While there, add a SECURITY.md page linking to the relevant paragraph.
Differential Revision: https://reviews.llvm.org/D100873
| -rw-r--r-- | SECURITY.md | 5 | ||||
| -rw-r--r-- | llvm/docs/GettingInvolved.rst | 2 | ||||
| -rw-r--r-- | llvm/docs/Security.rst | 40 |
3 files changed, 30 insertions, 17 deletions
diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000000..f6a5e6c01629 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,5 @@ +# Reporting LLVM Security Issues + +To report security issues in LLVM, please follow the steps outlined on the +[LLVM Security Group](https://llvm.org/docs/Security.html#how-to-report-a-security-issue) +page. diff --git a/llvm/docs/GettingInvolved.rst b/llvm/docs/GettingInvolved.rst index 82993ca1a355..f57ca588f2ea 100644 --- a/llvm/docs/GettingInvolved.rst +++ b/llvm/docs/GettingInvolved.rst @@ -135,6 +135,8 @@ lists. .. __: http://lists.llvm.org/mailman/listinfo/llvm-announce
+.. _online-sync-ups:
+
Online Sync-Ups
---------------
diff --git a/llvm/docs/Security.rst b/llvm/docs/Security.rst index 002c96cd80ba..14bdb137af7a 100644 --- a/llvm/docs/Security.rst +++ b/llvm/docs/Security.rst @@ -15,6 +15,15 @@ The LLVM Security Group has the following goals: The LLVM Security Group is private. It is composed of trusted LLVM contributors. Its discussions remain within the Security Group (plus issue reporter and key experts) while an issue is being investigated. After an issue becomes public, the entirety of the group’s discussions pertaining to that issue also become public. +.. _report-security-issue: + +How to report a security issue? +=============================== + +To report a security issue in the LLVM Project, please `open a new issue`_ in the LLVM project page, on the chromium issue tracker. Be sure to use the "Security bug report" template. + +We aim to acknowledge your report within two business days since you first reach out. If you do not receive any response by then, you can escalate by sending a message to the `llvm-dev mailing list`_ asking to get in touch with someone from the LLVM Security Group. **The escalation mailing list is public**: avoid discussing or mentioning the specific issue when posting on it. + Group Composition ================= @@ -141,22 +150,28 @@ Members of the LLVM Security Group are expected to: Discussion Medium ================= -*FUTURE*: this section needs more work! Where discussions occur is influenced by other factors that are still open in this document. We can figure it out later. -See other existing systems: `chromium issue tracker`_, tentative `GitHub security`_. It seems like bugzilla and email don’t meet security requirements. +*FUTURE*: this section needs more work! Where discussions occur is influenced by other factors that are still open in this document. We can finalize it later. +It seems like bugzilla and email don't meet security requirements. The medium used to host LLVM Security Group discussions is security-sensitive. It should therefore run on infrastructure which can meet our security expectations. -This is where all security discussions occur: +We are currently using the `chromium issue tracker`_ (as the `llvm` project) to have security discussions: * File security issues. -* Nominate new members. -* Propose member removal. -* Suggest policy changes. * Discuss security improvements to LLVM. - When a new issue is filed, a template is provided to help issue reporters provide all relevant information. +*FUTURE*: The `Github security`_ workflow allows publicly disclosing resolved security issues on the github project page, and we would be interested in adopting it for that purpose. However, it does not easily allow confidential reporting of security issues, as creating Github Security Advisories is currently restricted to Github project admins. That is why we have started with the `chromium issue tracker`_ instead. + + +We also occasionally need to discuss logistics of the LLVM Security Group itself: + +* Nominate new members. +* Propose member removal. +* Suggest policy changes. + +We often have these discussions publicly, in our :ref:`monthly public sync-up call <online-sync-ups>` and on public LLVM mailing lists. For internal or confidential discussions, we also use a private mailing list. Process ======= @@ -204,18 +219,9 @@ The parts of the LLVM Project which are currently treated as non-security sensit * Language front-ends, such as clang, for which a malicious input file can cause undesirable behavior. For example, a maliciously-crafter C or Rust source file can cause arbitrary code to execute in LLVM. These parts of LLVM haven't been hardened, and compiling untrusted code usually also includes running utilities such as `make` which can more readily perform malicious things. * *FUTURE*: this section will be expanded. -.. _report-security-issue: - -How to report a security issue? -=============================== - -*FUTURE*: this section will be expanded once we’ve figured out other details above. In the meantime, if you found a security issue please follow directly the escalation instructions below. - -Not everyone who wants to report a security issue will be familiar with LLVM, its community, and processes. Therefore, this needs to be easy to find on the LLVM website, and set clear expectations to issue reporters. - -We aim to acknowledge your report within two business days since you first reach out. If you do not receive any response by then, you can escalate by sending a message to the `llvm-dev mailing list`_ asking to get in touch with someone from the LLVM Security Group. **The escalation mailing list is public**: avoid discussing or mentioning the specific issue when posting on it. .. _CVE process: https://cve.mitre.org +.. _open a new issue: https://bugs.chromium.org/p/llvm/issues/entry .. _chromium issue tracker: https://crbug.com .. _GitHub security: https://help.github.com/en/articles/about-maintainer-security-advisories .. _llvm-dev mailing list: https://lists.llvm.org/mailman/listinfo/llvm-dev |