diff --git a/llvm/docs/Contributing.rst b/llvm/docs/Contributing.rst --- a/llvm/docs/Contributing.rst +++ b/llvm/docs/Contributing.rst @@ -37,6 +37,11 @@ a debug build (`-DCMAKE_BUILD_TYPE=Debug`) or a build with assertions (`-DLLVM_ENABLE_ASSERTIONS=On`, enabled for Debug builds). +Reporting a Security Issue +-------------------------- + +There is a separate process to submit security-related bugs, see :ref:`How to report a security issue?`. + Bigger Pieces of Work --------------------- In case you are interested in taking on a bigger piece of work, a list of diff --git a/llvm/docs/HowToSubmitABug.rst b/llvm/docs/HowToSubmitABug.rst --- a/llvm/docs/HowToSubmitABug.rst +++ b/llvm/docs/HowToSubmitABug.rst @@ -10,6 +10,8 @@ about it. This document describes what you can do to increase the odds of getting it fixed quickly. +If you believe that the bug is security related, please follow :ref:`How to report a security issue?`. + Basically you have to do two things at a minimum. First, decide whether the bug `crashes the compiler`_ (or an LLVM pass), or if the compiler is `miscompiling`_ the program (i.e., the diff --git a/llvm/docs/Reference.rst b/llvm/docs/Reference.rst --- a/llvm/docs/Reference.rst +++ b/llvm/docs/Reference.rst @@ -37,6 +37,7 @@ PDB/index ScudoHardenedAllocator MemTagSanitizer + Security SegmentedStacks StackMaps SpeculativeLoadHardening diff --git a/llvm/docs/Security.rst b/llvm/docs/Security.rst new file mode 100644 --- /dev/null +++ b/llvm/docs/Security.rst @@ -0,0 +1,182 @@ +=================== +LLVM Security Group +=================== + +The LLVM Security Group has the following goals: + +1. Allow LLVM contributors and security researchers to disclose security-related issues affecting the LLVM project to members of the LLVM community. +2. Organize fixes, code reviews, and release management for said issues. +3. Allow distributors time to investigate and deploy fixes before wide dissemination of vulnerabilities or mitigation shortcomings. +4. Ensure timely notification and release to vendors who package and distribute LLVM-based toolchains and projects. +5. Ensure timely notification to users of LLVM-based toolchains whose compiled code is security-sensitive, through the `CVE process`_. + +*Note*: these goals ensure timely action, provide disclosure timing when issues are reported, and respect vendors' / packagers' / users' constraints. + +The LLVM Security Group is private. It is composed of trusted LLVM contributors. Its discussions remain within the Security Group (plus issue reporter and key experts) while an issue is being investigated. After an issue becomes public, the entirety of the group’s discussions pertaining to that issue also become public. + + +Group Composition +================= + +Initial group +------------- + +The initial security group will start small and grow following the process established below. The LLVM Board will pick 10 community members. These members shall represent a wide cross-section of the community, and meet the criteria for inclusion below. + +*FUTURE*: where we maintain a list of current Security Group members can be decided later. + +Criteria +-------- + +* Nominees for LLVM Security Group membership should fall in one of these groups: + + - Individual contributors: + + + Specializes in fixing compiler-based security related issues or often participates in their exploration and resolution. + + Has a track record of finding security vulnerabilities and responsible disclosure of those vulnerabilities. + + Is a compiler expert who has specific interests in knowing about, resolving, and preventing future security vulnerabilities. + + Has actively contributed non-trivial code to the LLVM project in the last year. + + - Researchers: + + + Has a track record of finding security vulnerabilities and responsible disclosure of those vulnerabilities. + + Is a compiler expert who has specific interests in knowing about, resolving, and preventing future security vulnerabilities. + + - Vendor contacts: + + + Represents an organization or company which ships products that include their own copy of LLVM. Due to their position in the organization, the nominee has a reasonable need to know about security issues and disclosure embargoes. + +* Additionally, the following are necessary but not sufficient criteria for membership in the LLVM Security Group: + + - If already in the LLVM Security Group, has actively participated in one (if any) security issue in the last year. + - If already in the LLVM Security Group, has actively participated in most membership discussions in the last year. + - If already in the LLVM Security Group, has actively participated in writing or reviewing a transparency report in the last year. + - When employed by a company or other entity, the parent entity has no more than three members already in the LLVM Security Group. + - When nominated as a vendor contact, their position with that vendor remains the same as when originally nominated. + - Nominees are trusted by existing Security Group members to keep communications embargoed while still active. + +Nomination process +------------------ + +Anyone who feels they meet these criteria can nominate themselves, or may be nominated by a third party such as an existing LLVM Security Group member. The nomination should state whether the nominee is nominated as an individual, researcher, or as a vendor contact. It should clearly describe the grounds for nomination. + +*FUTURE*: where nomination occurs (mailing list, GitHub, etc), can be decided later. See `Discussion Medium`_ below. + + +Choosing new members +-------------------- + +If a nomination for LLVM Security Group membership is supported by a majority of existing LLVM Security Group members, then it carries within five business days unless an existing member of the Security Group objects. If an objection is raised, the LLVM Security Group members should discuss the matter and try to come to consensus; failing this, the nomination will succeed only by a two-thirds supermajority vote of the LLVM Security Group. + +Accepting membership +-------------------- + +Before new LLVM Security Group membership is finalized, the successful nominee should accept membership and agree to abide by this security policy, particularly `Privileges and Responsibilities of LLVM Security Group Members`_ below. + +Keeping Membership Current +-------------------------- + +* At least every six months, the LLVM Security Group applies the above criteria. The membership list is pruned accordingly. +* Any Security Group member can ask that the criteria be applied within the next five business days. +* If a member of the LLVM Security Group does not act in accordance with the letter and spirit of this policy, then their LLVM Security Group membership can be revoked by a majority vote of the members, not including the person under consideration for revocation. After a member calls for a revocation vote, voting will be open for five business days. +* Emergency suspension: an LLVM Security Group member who blatantly disregards the LLVM Security Policy may have their membership temporarily suspended on the request of any two members. In such a case, the requesting members should notify the Security Group with a description of the offense. At this point, membership will be temporarily suspended for five business days, pending outcome of the vote for permanent revocation. +* The LLVM Board may remove any member from the LLVM Security Group. + +Transparency Report +------------------- + +Every year, the LLVM Security Group must publish a transparency report. The intent of this report is to keep the community informed by summarizing the disclosures that have been made public in the last year. It shall contain a list of all public disclosures, as well as statistics on time to fix issues, length of embargo periods, and so on. + + +Privileges and Responsibilities of LLVM Security Group Members +============================================================== + +Access +------ + +LLVM Security Group members will be subscribed to a private `Discussion Medium`_ (*FUTURE*: see section below). It will be used for technical discussions of security issues, as well as process discussions about matters such as disclosure timelines and group membership. Members have access to all security issues. + +Confidentiality +--------------- + +Members of the LLVM Security Group will be expected to treat LLVM security issue information shared with the group as confidential until publicly disclosed: + +* Members should not disclose security issue information to non-members unless both members are employed by the same vendor of a LLVM based product, in which case information can be shared within that organization on a need-to-know basis and handled as confidential information normally is within that organization. +* If the LLVM Security Group agrees, designated members may share issues with vendors of non-LLVM based products if their product suffers from the same issue. The non-LLVM vendor should be asked to respect the issue’s embargo date, and to not share the information beyond the need-to-know people within their organization. +* If the LLVM Security Group agrees, key experts can be brought in to help address particular issues. The key expert should be asked to respect the issue’s embargo date, and to not share the information. + +Disclosure +---------- + +Following the process below, the LLVM Security Group decides on embargo date for public disclosure for each Security issue. An embargo may be lifted before the agreed-upon date if all vendors planning to ship a fix have already done so, and if the reporter does not object. + +Collaboration +------------- + +Members of the LLVM Security Group are expected to: + +* Promptly share any LLVM vulnerabilities they become aware of. +* Volunteer to drive issues forward. +* Help evaluate the severity of incoming issues. +* Help write and review patches to address security issues. +* Participate in the member nomination and removal processes. + + +Discussion Medium +================= + +*FUTURE*: this section needs more work! Where discussions occur is influenced by other factors that are still open in this document. We can figure it out later. +See other existing systems: `chromium issue tracker`_, tentative `GitHub security`_. It seems like bugzilla and email don’t meet security requirements. + +The medium used to host LLVM Security Group discussions is security-sensitive. It should therefore run on infrastructure which can meet our security expectations. + +This is where all security discussions occur: + +* File security issues. +* Nominate new members. +* Propose member removal. +* Suggest policy changes. +* Discuss security improvements to LLVM. + + +When a new issue is filed, a template is provided to help issue reporters provide all relevant information. + + +Process +======= + +The following process occurs on the discussion medium for each reported issue: + +* A security issue reporter (not necessarily an LLVM contributor) reports an issue. +* Within two business days, a member of the Security Group is put in charge of driving the issue to an acceptable resolution. This champion doesn’t need to be the same person for each issue. This person can self-nominate. +* Members of the Security Group discuss in which circumstances (if any) an issue is relevant to security, and determine if it is a security issue. +* Negotiate an embargo date for public disclosure, with a default minimum time limit of ninety days. +* Security Group members can recommend that key experts be pulled in to specific issue discussions. The key expert can be pulled in unless there are objections from other Security Group members. +* Patches are written and reviewed. +* Backporting security patches from recent versions to old versions cannot always work. It is up to the Security Group to decide if such backporting should be done, and how far back. +* The Security Group figures out how the LLVM project’s own releases, as well as individual vendors’ releases, can be timed to patch the issue simultaneously. +* Embargo date can be delayed or pulled forward at the Security Group’s discretion. +* The issue champion obtains a CVE entry from MITRE_. +* Once the embargo expires, the patch is posted publicly according to LLVM’s usual code review process. +* All security issues (as well as nomination / removal discussions) become public within approximately fourteen weeks of the fix landing in the LLVM repository. Precautions should be taken to avoid disclosing particularly sensitive data included in the report (e.g. username and password pairs). + + +Changes to the Policy +===================== + +The LLVM Security Policy may be changed by majority vote of the LLVM Security Group. Such changes also need to be approved by the LLVM Board. + + +How to report a security issue? +=============================== + +*FUTURE*: this section will be expanded once we’ve figured out other details above. + +Not everyone who wants to report a security issue will be familiar with LLVM, its community, and processes. Therefore, this needs to be easy to find on the LLVM website, and set clear expectations to issue reporters. + + + +.. _CVE process: https://cve.mitre.org +.. _chromium issue tracker: https://crbug.com +.. _GitHub security: https://help.github.com/en/articles/about-maintainer-security-advisories +.. _MITRE: https://cve.mitre.org diff --git a/llvm/docs/index.rst b/llvm/docs/index.rst --- a/llvm/docs/index.rst +++ b/llvm/docs/index.rst @@ -82,6 +82,10 @@ * :ref:`meetups-social-events` * :ref:`community-proposals` + Reporting a security issue + +* :ref:`How to report a security issue?` + Indices and tables ==================