[PATCH] D100873: [docs] Describe reporting security issues on the chromium tracker.

Ahmed Bougacha via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Tue Apr 20 10:56:22 PDT 2021 

ab created this revision.
ab added reviewers: apilipenko, dim, emaste, george.burgess.iv, kristof.beyls, mattdr, ojhunt, probinson, peter.smith, pietroalbini, serge-sans-paille, Shayne, jfb.
ab requested review of this revision.
Herald added a project: LLVM.

Hey folks!  While checking today's agenda I noticed this task slipped through the cracks from our discussion at the last sync, my bad!

To track security issues, we're starting with the chromium bug tracker
(using the llvm project there).  We would prefer to use Github to match
its increasing usage for llvm.  However, Github Security Advisories are
currently intended as a way for project owners to publicize their
security advisories, and isn't well-suited to reporting issues.
We may still want to have a more complicated process where we track
issues on the chromium tracker, and publicize them to the community
on Github.
Or, alternatively, tell people to reach out to us (without getting into
details) to file a security issue for them on Github directly, and give
them access to actually discuss the issue there.

This also moves the issue-reporting paragraph to the beginning of the
document, in part to make it more discoverable, in part to allow the
anchor-linking to actually display the paragraph at the top of the page.

Note that this doesn't update the concrete list of security-sensitive
areas, which is still an open item we may want to address before
actually landing this issue-reporting doc change.

We may want to move the list of security-sensitive areas next to the
issue-reporting paragraph as well, as it seems like relevant information
needed in the reporting process.

Finally, when describing the discission medium, this splits the topics
discussed into two: the concrete security issues, discussed in the
issue tracker, and the internal logistics, in our mailing list.
We may want to relax the nomination process to match our current usage
of patches vs the mailing list.

While there, add a SECURITY.md page linking to the relevant paragraph.


Repository:
  rG LLVM Github Monorepo

https://reviews.llvm.org/D100873

Files:
  SECURITY.md
  llvm/docs/Security.rst


Index: llvm/docs/Security.rst
===================================================================
--- llvm/docs/Security.rst
+++ llvm/docs/Security.rst
@@ -15,6 +15,15 @@
 
 The LLVM Security Group is private. It is composed of trusted LLVM contributors. Its discussions remain within the Security Group (plus issue reporter and key experts) while an issue is being investigated. After an issue becomes public, the entirety of the group’s discussions pertaining to that issue also become public.
 
+.. _report-security-issue:
+
+How to report a security issue?
+===============================
+
+To report a security issue in the LLVM Project, please `open a new issue`_ in the LLVM project page, on the chromium issue tracker.  Be sure to use the "Security bug report" template.
+
+We aim to acknowledge your report within two business days since you first reach out. If you do not receive any response by then, you can escalate by sending a message to the `llvm-dev mailing list`_ asking to get in touch with someone from the LLVM Security Group. **The escalation mailing list is public**: avoid discussing or mentioning the specific issue when posting on it.
+
 
 Group Composition
 =================
@@ -141,21 +150,26 @@
 Discussion Medium
 =================
 
-*FUTURE*: this section needs more work! Where discussions occur is influenced by other factors that are still open in this document. We can figure it out later.
-See other existing systems: `chromium issue tracker`_, tentative `GitHub security`_. It seems like bugzilla and email don’t meet security requirements.
+*FUTURE*: this section needs more work! Where discussions occur is influenced by other factors that are still open in this document. We can finalize it later.
+It seems like bugzilla and email don't meet security requirements.
 
 The medium used to host LLVM Security Group discussions is security-sensitive. It should therefore run on infrastructure which can meet our security expectations.
 
-This is where all security discussions occur:
+We are currently using the `chromium issue tracker`_ (as the `llvm` project) to have security discussions:
 
 * File security issues.
+* Discuss security improvements to LLVM.
+
+When a new issue is filed, a template is provided to help issue reporters provide all relevant information.
+
+*FUTURE*: We would be interested in adopting the `Github security`_ workflow to align with the developer workflows the LLVM community is using.  We have started with the `chromium issue tracker`_ instead, because creating Github Security Advisories is currently restricted to Github project admins.  However, Github Security Advisories may be better suited to publicly disclosing resolved security issues.
+
+
+We are also currently using a private mailing list to discuss the internal logistics of the LLVM Security Group:
+
 * Nominate new members.
 * Propose member removal.
 * Suggest policy changes.
-* Discuss security improvements to LLVM.
-
-
-When a new issue is filed, a template is provided to help issue reporters provide all relevant information.
 
 
 Process
@@ -204,18 +218,9 @@
 * Language front-ends, such as clang, for which a malicious input file can cause undesirable behavior. For example, a maliciously-crafter C or Rust source file can cause arbitrary code to execute in LLVM. These parts of LLVM haven't been hardened, and compiling untrusted code usually also includes running utilities such as `make` which can more readily perform malicious things.
 * *FUTURE*: this section will be expanded.
 
-.. _report-security-issue:
-
-How to report a security issue?
-===============================
-
-*FUTURE*: this section will be expanded once we’ve figured out other details above. In the meantime, if you found a security issue please follow directly the escalation instructions below.
-
-Not everyone who wants to report a security issue will be familiar with LLVM, its community, and processes. Therefore, this needs to be easy to find on the LLVM website, and set clear expectations to issue reporters.
-
-We aim to acknowledge your report within two business days since you first reach out. If you do not receive any response by then, you can escalate by sending a message to the `llvm-dev mailing list`_ asking to get in touch with someone from the LLVM Security Group. **The escalation mailing list is public**: avoid discussing or mentioning the specific issue when posting on it.
 
 .. _CVE process: https://cve.mitre.org
+.. _open a new issue: https://bugs.chromium.org/p/llvm/issues/entry
 .. _chromium issue tracker: https://crbug.com
 .. _GitHub security: https://help.github.com/en/articles/about-maintainer-security-advisories
 .. _llvm-dev mailing list: https://lists.llvm.org/mailman/listinfo/llvm-dev
Index: SECURITY.md
===================================================================
--- /dev/null
+++ SECURITY.md
@@ -0,0 +1,5 @@
+# Reporting LLVM Security Issues
+
+To report security issues in LLVM, please follow the steps outlined on the
+[LLVM Security Group](https://llvm.org/docs/Security.html#how-to-report-a-security-issue)
+page.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D100873.338927.patch
Type: text/x-patch
Size: 5119 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20210420/faf628b5/attachment.bin>

More information about the llvm-commits mailing list