[PATCH] D117872: Add security group 2021 transparency report.

Fri Jan 21 04:12:34 PST 2022

kristof.beyls created this revision.
kristof.beyls added reviewers: ab, peter.smith, pietroalbini, george.burgess.iv.
kristof.beyls requested review of this revision.
Herald added a project: LLVM.

Repository:
  rG LLVM Github Monorepo

https://reviews.llvm.org/D117872

Files:
  llvm/docs/Reference.rst
  llvm/docs/Security.rst
  llvm/docs/SecurityTransparencyReports.rst


Index: llvm/docs/SecurityTransparencyReports.rst
===================================================================

--- /dev/null
+++ llvm/docs/SecurityTransparencyReports.rst
@@ -0,0 +1,44 @@
+========================================
+LLVM Security Group Transparency Reports
+========================================
+
+This page lists the yearly LLVM Security group transparency reports.
+
+2021
+----
+
+The :doc:`LLVM security group <Security>` was established on the 10th of July
+2020 by the act of the `initial
+commit <https://github.com/llvm/llvm-project/commit/7bf73bcf6d93>`_ describing
+the purpose of the group and the processes it follows.  Many of the group's
+processes were still not well-defined enough for the group to operate well.
+Over the course of 2021, the key processes were defined well enough to enable
+the group to operate reasonably well:
+
+* We defined details on how to report security issues, see `this commit on
+  20th of May 2021 <https://github.com/llvm/llvm-project/commit/c9dbaa4c86d2>`_
+* We refined the nomination process for new group members, see `this
+  commit on 30th of July 2021 <https://github.com/llvm/llvm-project/commit/4c98e9455aad>`_
+* We started writing an annual transparency report (you're reading the 2021
+  report here).
+
+Over the course of 2021, we had 2 people leave the LLVM Security group and 4
+people join.
+
+In 2021, the security group received 13 issue reports that were made publicly
+visible before 31st of December 2021.  The security group judged 2 of these
+reports to be security issues:
+
+* https://bugs.chromium.org/p/llvm/issues/detail?id=5
+* https://bugs.chromium.org/p/llvm/issues/detail?id=11
+
+Both issues were addressed with source changes: #5 in clangd/vscode-clangd, and
+#11 in llvm-project.  No dedicated LLVM release was made for either.
+
+We believe that with the publishing of this first annual transparency report,
+the security group now has implemented all necessary processes for the group to
+operate as promised. The group's processes can be improved further, and we do
+expect further improvements to get implemented in 2022. Many of the potential
+improvements end up being discussed on the `monthly public call on LLVM's
+security group <https://llvm.org/docs/GettingInvolved.html#online-sync-ups>`_.
+
Index: llvm/docs/Security.rst
===================================================================
--- llvm/docs/Security.rst
+++ llvm/docs/Security.rst
@@ -116,6 +116,8 @@
 
 Every year, the LLVM Security Group must publish a transparency report. The intent of this report is to keep the community informed by summarizing the disclosures that have been made public in the last year. It shall contain a list of all public disclosures, as well as statistics on time to fix issues, length of embargo periods, and so on.
 
+The transparency reports are published at :doc:`SecurityTransparencyReports`.
+
 
 Privileges and Responsibilities of LLVM Security Group Members
 ==============================================================
Index: llvm/docs/Reference.rst
===================================================================
--- llvm/docs/Reference.rst
+++ llvm/docs/Reference.rst
@@ -38,6 +38,7 @@
    ScudoHardenedAllocator
    MemTagSanitizer
    Security
+   SecurityTransparencyReports
    SegmentedStacks
    StackMaps
    SpeculativeLoadHardening


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D117872.401937.patch
Type: text/x-patch
Size: 3379 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20220121/b6a3f61f/attachment.bin>
