[PATCH] D70326: [docs] LLVM Security Group and Process

Fri Jun 19 02:39:18 PDT 2020

theraven added inline comments.

================
Comment at: llvm/docs/Security.rst:46
+
+  - Vendor contacts:
+
----------------
psmith wrote:
> There are many vendors that build products from LLVM, and would like to be informed about vulnerabilities, but they may not be able to provide a security expert for the group. We may be at risk of putting off smaller vendors from putting names forward that largely want to be informed but may not be able to contribute fixes.
> 
> I don't think this needs changing in the text though. We'll have to see how it goes.
I think that's a great point.  We may want to have a two-ring approach, with a group that will coordinate the response and patch, and a wider distribution group that has access to the embargoed patch so that they can do package builds and coordinated releases.  My concern over this approach is that it's much lower overhead to be in the second group and so the incentive is to only be in the second group, where you benefit from the process but don't contribute.  

This also needs to be balanced with the fact that a leak of an embargoed patch is more likely the more people are exposed to it (for example, OpenBSD leaked the fix for the KRACK WPA2 attack before the embargo, which put everyone else at risk and got the project banned from access to embargoed fixes for a few things).  

>From the project's perspective, what is the benefit of having these small vendors participating?  For the vendor to benefit, they must have a process for handling embargoed fixes and doing coordinated releases.  It seems quite unlikely that such a vendor would not have someone who can help our at least in coordinating the response, if not in assessing the security. 

Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D70326/new/

https://reviews.llvm.org/D70326