[PATCH] D89068: Add expected response time and escalation path to the security docs
Pietro Albini via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Thu Oct 8 13:27:32 PDT 2020
pietroalbini created this revision.
pietroalbini added reviewers: kristof.beyls, mattdr, jfb.
Herald added subscribers: llvm-commits, dexonsmith.
Herald added a project: LLVM.
pietroalbini requested review of this revision.
Following up on the discussion within the group during the roundtable at the 2020 LLVM Developers Meeting, this commit adds to the security docs:
- How long we expect acknowledging security reports will take
- The escalation path the reporter can follow if they get no response
A temporary line inviting reporters to directly follow the escalation path while the mailing list is being setup is also added.
Repository:
rG LLVM Github Monorepo
https://reviews.llvm.org/D89068
Files:
llvm/docs/Security.rst
Index: llvm/docs/Security.rst
===================================================================
--- llvm/docs/Security.rst
+++ llvm/docs/Security.rst
@@ -208,13 +208,14 @@
How to report a security issue?
===============================
-*FUTURE*: this section will be expanded once we’ve figured out other details above.
+*FUTURE*: this section will be expanded once we’ve figured out other details above. In the meantime, if you found a security issue please follow directly the escalation instructions below.
Not everyone who wants to report a security issue will be familiar with LLVM, its community, and processes. Therefore, this needs to be easy to find on the LLVM website, and set clear expectations to issue reporters.
-
+We aim to acknowledge your report within two business days since you first reach out. If you do not receive any response by then, you can escalate by sending a message to the `llvm-dev mailing list`_ asking to get in touch with someone from the LLVM Security Group. **The escalation mailing list is public**: avoid discussing or mentioning the specific issue when posting on it.
.. _CVE process: https://cve.mitre.org
.. _chromium issue tracker: https://crbug.com
.. _GitHub security: https://help.github.com/en/articles/about-maintainer-security-advisories
+.. _llvm-dev mailing list: https://lists.llvm.org/mailman/listinfo/llvm-dev
.. _MITRE: https://cve.mitre.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D89068.297040.patch
Type: text/x-patch
Size: 1420 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20201008/33d1a2cf/attachment.bin>
More information about the llvm-commits
mailing list