[llvm] 4d82ae6 - Add security group 2021 transparency report.

Kristof Beyls via llvm-commits llvm-commits at lists.llvm.org
Fri Jan 21 06:43:52 PST 2022 

Author: Kristof Beyls
Date: 2022-01-21T15:43:17+01:00
New Revision: 4d82ae67b20826d97471c1ea76e8db3b054398f9

URL: https://github.com/llvm/llvm-project/commit/4d82ae67b20826d97471c1ea76e8db3b054398f9
DIFF: https://github.com/llvm/llvm-project/commit/4d82ae67b20826d97471c1ea76e8db3b054398f9.diff

LOG: Add security group 2021 transparency report.

Differential Revision:  https://reviews.llvm.org/D117872

Added: 
    llvm/docs/SecurityTransparencyReports.rst

Modified: 
    llvm/docs/Reference.rst
    llvm/docs/Security.rst

Removed: 
    


################################################################################
diff  --git a/llvm/docs/Reference.rst b/llvm/docs/Reference.rst
index d10fc8f23f735..0a2a84b31c4e2 100644
--- a/llvm/docs/Reference.rst
+++ b/llvm/docs/Reference.rst
@@ -38,6 +38,7 @@ LLVM and API reference documentation.
    ScudoHardenedAllocator
    MemTagSanitizer
    Security
+   SecurityTransparencyReports
    SegmentedStacks
    StackMaps
    SpeculativeLoadHardening

diff  --git a/llvm/docs/Security.rst b/llvm/docs/Security.rst
index 19ce13b04babc..04cf5cabf8793 100644
--- a/llvm/docs/Security.rst
+++ b/llvm/docs/Security.rst
@@ -116,6 +116,8 @@ Transparency Report
 
 Every year, the LLVM Security Group must publish a transparency report. The intent of this report is to keep the community informed by summarizing the disclosures that have been made public in the last year. It shall contain a list of all public disclosures, as well as statistics on time to fix issues, length of embargo periods, and so on.
 
+The transparency reports are published at :doc:`SecurityTransparencyReports`.
+
 
 Privileges and Responsibilities of LLVM Security Group Members
 ==============================================================

diff  --git a/llvm/docs/SecurityTransparencyReports.rst b/llvm/docs/SecurityTransparencyReports.rst
new file mode 100644
index 0000000000000..bcc28d8a9624f
--- /dev/null
+++ b/llvm/docs/SecurityTransparencyReports.rst
@@ -0,0 +1,44 @@
+========================================
+LLVM Security Group Transparency Reports
+========================================
+
+This page lists the yearly LLVM Security group transparency reports.
+
+2021
+----
+
+The :doc:`LLVM security group <Security>` was established on the 10th of July
+2020 by the act of the `initial
+commit <https://github.com/llvm/llvm-project/commit/7bf73bcf6d93>`_ describing
+the purpose of the group and the processes it follows.  Many of the group's
+processes were still not well-defined enough for the group to operate well.
+Over the course of 2021, the key processes were defined well enough to enable
+the group to operate reasonably well:
+
+* We defined details on how to report security issues, see `this commit on
+  20th of May 2021 <https://github.com/llvm/llvm-project/commit/c9dbaa4c86d2>`_
+* We refined the nomination process for new group members, see `this
+  commit on 30th of July 2021 <https://github.com/llvm/llvm-project/commit/4c98e9455aad>`_
+* We started writing an annual transparency report (you're reading the 2021
+  report here).
+
+Over the course of 2021, we had 2 people leave the LLVM Security group and 4
+people join.
+
+In 2021, the security group received 13 issue reports that were made publicly
+visible before 31st of December 2021.  The security group judged 2 of these
+reports to be security issues:
+
+* https://bugs.chromium.org/p/llvm/issues/detail?id=5
+* https://bugs.chromium.org/p/llvm/issues/detail?id=11
+
+Both issues were addressed with source changes: #5 in clangd/vscode-clangd, and
+#11 in llvm-project.  No dedicated LLVM release was made for either.
+
+We believe that with the publishing of this first annual transparency report,
+the security group now has implemented all necessary processes for the group to
+operate as promised. The group's processes can be improved further, and we do
+expect further improvements to get implemented in 2022. Many of the potential
+improvements end up being discussed on the `monthly public call on LLVM's
+security group <https://llvm.org/docs/GettingInvolved.html#online-sync-ups>`_.
+

More information about the llvm-commits mailing list