diff --git a/llvm/docs/Contributing.rst b/llvm/docs/Contributing.rst --- a/llvm/docs/Contributing.rst +++ b/llvm/docs/Contributing.rst @@ -40,7 +40,7 @@ Reporting a Security Issue -------------------------- -There is a separate process to submit security-related bugs, see :ref:`How to report a security issue?`. +There is a separate process to submit security-related bugs, see :ref:`report-security-issue`. Bigger Pieces of Work --------------------- diff --git a/llvm/docs/HowToSubmitABug.rst b/llvm/docs/HowToSubmitABug.rst --- a/llvm/docs/HowToSubmitABug.rst +++ b/llvm/docs/HowToSubmitABug.rst @@ -10,7 +10,7 @@ about it. This document describes what you can do to increase the odds of getting it fixed quickly. -If you believe that the bug is security related, please follow :ref:`How to report a security issue?`. +🔒 If you believe that the bug is security related, please follow :ref:`report-security-issue`. 🔒 Basically you have to do two things at a minimum. First, decide whether the bug `crashes the compiler`_ (or an LLVM pass), or if the diff --git a/llvm/docs/Security.rst b/llvm/docs/Security.rst --- a/llvm/docs/Security.rst +++ b/llvm/docs/Security.rst @@ -19,12 +19,26 @@ Group Composition ================= -Initial group -------------- - -The initial security group will start small and grow following the process established below. The LLVM Board will pick 10 community members. These members shall represent a wide cross-section of the community, and meet the criteria for inclusion below. - -*FUTURE*: where we maintain a list of current Security Group members can be decided later. +Security Group Members +---------------------- + +The members of the group represent a wide cross-section of the community, and meet the criteria for inclusion below. + +* Akila Srinivasan (Apple) +* Dimitry Andric (invidual; FreeBSD) +* Ed Maste (individual; FreeBSD) +* JF Bastien (Apple) +* Josh Eads (Sony) +* Kristof Beyls (ARM) +* Matthew Riley (Google) +* Oliver Hunt (Apple) +* Paul Robinson (Sony) +* Peter Smith (ARM) +* Philip Reames (Azul Systems Inc) +* Pietro Albini (individual; Rust) +* Serge Guelton (RedHat) +* Shayne Hiet-Block (Microsoft) +* Steve Klabnik (Oxide Computer Company; Rust) Criteria -------- @@ -182,7 +196,14 @@ The security-sensitive parts of the LLVM Project currently are: * None (this process is new, the list hasn't been populated yet) +* *FUTURE*: this section will be expanded. + +The parts of the LLVM Project which are currently treated as non-security sensitive are: + +* Language front-ends, such as clang, for which a malicious input file can cause undesirable behavior. For example, a maliciously-crafter C or Rust source file can cause arbitrary code to execute in LLVM. These parts of LLVM haven't been hardened, and compiling untrusted code usually also includes running utilities such as `make` which can more readily perform malicious things. +* *FUTURE*: this section will be expanded. +.. _report-security-issue: How to report a security issue? =============================== diff --git a/llvm/docs/index.rst b/llvm/docs/index.rst --- a/llvm/docs/index.rst +++ b/llvm/docs/index.rst @@ -85,7 +85,7 @@ Reporting a security issue -* :ref:`How to report a security issue?` +* :ref:`report-security-issue` Indices and tables ==================