[llvm] docs: Add an incident response guide (PR #133567)
Kristof Beyls via llvm-commits
llvm-commits at lists.llvm.org
Sat Mar 29 00:06:15 PDT 2025
================
@@ -0,0 +1,87 @@
+============================
+LLVM Incident Response Guide
+============================
+
+Purpose
+=======
+
+The purpose of this document is to outline how a project administrator should respond to
+malicious or unwanted content that appears on LLVM infrastructure. This includes but
+is not limited to: malicious code checked into the GitHub repository, unauthorized access
+to LLVM controlled servers, or compromise of community owned resources like buildbots
+or GitHub Actions runners.
----------------
kbeyls wrote:
Given there are different classes of incidents, and this document only covers a subset of all classes, I think it would be useful to have a pointer here to how other classes of incidents should be handled.
At the least, I think there should be a pointer to https://llvm.org/docs/Security.html#how-to-report-a-security-issue, and a description of when to use that process instead of the one in this document. We could also update https://llvm.org/docs/Security.html to point to this document, with a description of when to use the process documented here.
I'm not sure if there is a class of incidents that are not covered by either process document, but maybe there could be a "fall-back", saying what to do when you have an incident that requires some action that is not covered by either process document?
https://github.com/llvm/llvm-project/pull/133567
More information about the llvm-commits
mailing list