You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[docs] Document move from chromium to github to report security issues. (#95262)
I'm not aware of any other documentation changes that are needed to
complete the migration from chromium to github to report security
issues. The top-level security.md file refers to
https://llvm.org/docs/Security.html#how-to-report-a-security-issue for
documentation on reporting a security issue, which is being updated as
part of this PR.
Copy file name to clipboardExpand all lines: llvm/docs/Security.rst
+7-16Lines changed: 7 additions & 16 deletions
Original file line number
Diff line number
Diff line change
@@ -20,7 +20,7 @@ The LLVM Security Group is private. It is composed of trusted LLVM contributors.
20
20
How to report a security issue?
21
21
===============================
22
22
23
-
To report a security issue in the LLVM Project, please `open a new issue`_ in the LLVM project page, on the chromium issue tracker. Be sure to use the "Security bug report" template.
23
+
To report a security issue in any of the LLVM projects, please use the `report a vulnerability`_ feature in the `llvm/llvm-security-repo`_ repository on github, under the "Security" tab.
24
24
25
25
We aim to acknowledge your report within two business days since you first reach out. If you do not receive any response by then, you can escalate by posting on the `Discourse forums`_ asking to get in touch with someone from the LLVM Security Group. **The escalation mailing list is public**: avoid discussing or mentioning the specific issue when posting on it.
26
26
@@ -94,9 +94,7 @@ Nomination process
94
94
95
95
Anyone who feels they meet these criteria can nominate themselves, or may be nominated by a third party such as an existing LLVM Security Group member. The nomination should state whether the nominee is nominated as an individual, researcher, or as a vendor contact. It should clearly describe the grounds for nomination.
96
96
97
-
For the moment, nominations are generally proposed, discussed, and voted on using a github pull request. An `example nomination is available here`_. The use of pull requests helps keep membership discussions open, transparent, and easily accessible to LLVM developers in many ways. If, for any reason, a fully-world-readable nomination seems inappropriate, you may `open a new issue`_, and a discussion can be had about the best way to approach nomination, given the constraints that individuals are under.
98
-
99
-
Our recommended method of nomination may change as our `Discussion Medium`_ story evolves over time.
97
+
For the moment, nominations are generally proposed, discussed, and voted on using a github pull request. An `example nomination is available here`_. The use of pull requests helps keep membership discussions open, transparent, and easily accessible to LLVM developers in many ways. If, for any reason, a fully-world-readable nomination seems inappropriate, you may reach out to the security group via the `report a vulnerability`_ route, and a discussion can be had about the best way to approach nomination, given the constraints that individuals are under.
100
98
101
99
Choosing new members
102
100
--------------------
@@ -131,7 +129,7 @@ Privileges and Responsibilities of LLVM Security Group Members
131
129
Access
132
130
------
133
131
134
-
LLVM Security Group members will be subscribed to a private `Discussion Medium`_ (*FUTURE*: see section below). It will be used for technical discussions of security issues, as well as process discussions about matters such as disclosure timelines and group membership. Members have access to all security issues.
132
+
LLVM Security Group members will be subscribed to a private `Discussion Medium`_. It will be used for technical discussions of security issues, as well as process discussions about matters such as disclosure timelines and group membership. Members have access to all security issues.
135
133
136
134
Confidentiality
137
135
---------------
@@ -162,21 +160,13 @@ Members of the LLVM Security Group are expected to:
162
160
Discussion Medium
163
161
=================
164
162
165
-
*FUTURE*: this section needs more work! Where discussions occur is influenced by other factors that are still open in this document. We can finalize it later.
166
-
It seems like bugzilla and email don't meet security requirements.
167
-
168
163
The medium used to host LLVM Security Group discussions is security-sensitive. It should therefore run on infrastructure which can meet our security expectations.
169
164
170
-
We are currently using the `chromium issue tracker`_ (as the `llvm` project) to have security discussions:
165
+
We use `GitHub's mechanism to privately report security vulnerabilities`_ to have security discussions:
171
166
172
167
* File security issues.
173
168
* Discuss security improvements to LLVM.
174
169
175
-
When a new issue is filed, a template is provided to help issue reporters provide all relevant information.
176
-
177
-
*FUTURE*: The `Github security`_ workflow allows publicly disclosing resolved security issues on the github project page, and we would be interested in adopting it for that purpose. However, it does not easily allow confidential reporting of security issues, as creating Github Security Advisories is currently restricted to Github project admins. That is why we have started with the `chromium issue tracker`_ instead.
178
-
179
-
180
170
We also occasionally need to discuss logistics of the LLVM Security Group itself:
181
171
182
172
* Nominate new members.
@@ -253,8 +243,9 @@ sensitive are the following. Note that this list can change over time.
0 commit comments