[llvm] 05ef552 - Add expected response time and escalation path to the security docs

Kristof Beyls via llvm-commits llvm-commits at lists.llvm.org
Tue Oct 13 01:57:32 PDT 2020 

Author: Pietro Albini
Date: 2020-10-13T10:57:06+02:00
New Revision: 05ef552e5660d05cb6cd730c734e709d8323fd6f

URL: https://github.com/llvm/llvm-project/commit/05ef552e5660d05cb6cd730c734e709d8323fd6f
DIFF: https://github.com/llvm/llvm-project/commit/05ef552e5660d05cb6cd730c734e709d8323fd6f.diff

LOG: Add expected response time and escalation path to the security docs

Following up on the discussion within the group during the roundtable at
the 2020 LLVM Developers Meeting, this commit adds to the security docs:

* How long we expect acknowledging security reports will take
* The escalation path the reporter can follow if they get no response

A temporary line inviting reporters to directly follow the escalation
path while the mailing list is being setup is also added.

Differential Revision: https://reviews.llvm.org/D89068

Added: 
    

Modified: 
    llvm/docs/Security.rst

Removed: 
    


################################################################################
diff  --git a/llvm/docs/Security.rst b/llvm/docs/Security.rst
index 8f71db1894d1..d73a9e835d6d 100644
--- a/llvm/docs/Security.rst
+++ b/llvm/docs/Security.rst
@@ -207,13 +207,14 @@ The parts of the LLVM Project which are currently treated as non-security sensit
 How to report a security issue?
 ===============================
 
-*FUTURE*: this section will be expanded once we’ve figured out other details above.
+*FUTURE*: this section will be expanded once we’ve figured out other details above. In the meantime, if you found a security issue please follow directly the escalation instructions below.
 
 Not everyone who wants to report a security issue will be familiar with LLVM, its community, and processes. Therefore, this needs to be easy to find on the LLVM website, and set clear expectations to issue reporters.
 
-
+We aim to acknowledge your report within two business days since you first reach out. If you do not receive any response by then, you can escalate by sending a message to the `llvm-dev mailing list`_ asking to get in touch with someone from the LLVM Security Group. **The escalation mailing list is public**: avoid discussing or mentioning the specific issue when posting on it.
 
 .. _CVE process: https://cve.mitre.org
 .. _chromium issue tracker: https://crbug.com
 .. _GitHub security: https://help.github.com/en/articles/about-maintainer-security-advisories
+.. _llvm-dev mailing list: https://lists.llvm.org/mailman/listinfo/llvm-dev
 .. _MITRE: https://cve.mitre.org

More information about the llvm-commits mailing list