[llvm-dev] [RFC] LLVM Security Group and Process

Ed Maste via llvm-dev llvm-dev at lists.llvm.org
Tue Dec 10 07:28:59 PST 2019


Dimitry had a pretty comprehensive reply for FreeBSD, but I want to
expand on one thing:

On Thu, 5 Dec 2019 at 13:45, Dimitry Andric <dimitry at andric.com> wrote:
>
> On this list: Do you agree with the goals listed in the proposal?
>
> Yes, but I hope we can clarify what "time to investigate" and "timely notification" means, in more precise terms.

Other replies in the thread touched on this but I want to again
higlight that we should make sure we are clear about what is and is
not in scope for the team. Perhaps explicitly positioning this as an
"LLVM SIRT" or similar rather than a "security team" to indicate that
the focus is vulnerability response. Issues or discussions that are
security-related but do not need to be handled in confidence don't
require this process, but folks may send such issues to a "security
team" (as happens on occasion with the FreeBSD security team).


More information about the llvm-dev mailing list