This is an archive of the discontinued LLVM Phabricator instance.

Differential D89068

Add expected response time and escalation path to the security docs
ClosedPublic

Authored by pietroalbini on Oct 8 2020, 1:27 PM.

Details

Reviewers
kristof.beyls
mattdr
jfb
Commits
rG05ef552e5660: Add expected response time and escalation path to the security docs
Summary

Following up on the discussion within the group during the roundtable at the 2020 LLVM Developers Meeting, this commit adds to the security docs:

  • How long we expect acknowledging security reports will take
  • The escalation path the reporter can follow if they get no response

A temporary line inviting reporters to directly follow the escalation path while the mailing list is being setup is also added.

Diff Detail

Event Timeline

pietroalbini created this revision.Oct 8 2020, 1:27 PM
Herald added a project: Restricted Project. · View Herald TranscriptOct 8 2020, 1:27 PM
Herald added subscribers: llvm-commits, dexonsmith. · View Herald Transcript
pietroalbini requested review of this revision.Oct 8 2020, 1:27 PM
Harbormaster completed remote builds in B74479: Diff 297040.Oct 8 2020, 2:11 PM
kristof.beyls added a comment.Oct 9 2020, 1:04 AM

Thanks for this @pietroalbini !
This LGTM.
I'd also like to hear @mattdr's or @jfb's opinion before committing though.

mattdr accepted this revision.Oct 9 2020, 1:21 AM

Thanks for writing this down. I think this presents a consistent state on our way to something more permanent. LGTM.

This revision is now accepted and ready to land.Oct 9 2020, 1:21 AM
pietroalbini added a comment.Oct 13 2020, 12:51 AM

This seems to be approved, what's the process of landing the commit? I don't have commit access to LLVM.

kristof.beyls added a comment.Oct 13 2020, 1:18 AM
In D89068#2326910, @pietroalbini wrote:

This seems to be approved, what's the process of landing the commit? I don't have commit access to LLVM.

You can get commit access as described in https://llvm.org/docs/DeveloperPolicy.html#obtaining-commit-access
If you prefer, I am also happy to commit this on your behalf (just let me know if so).

pietroalbini added a comment.Oct 13 2020, 1:25 AM

I think it'd be best for you to commit on my behalf (Pietro Albini <pietro@pietroalbini.org>): requesting write access to merge my first commit is a bit weird :D

Closed by commit rG05ef552e5660: Add expected response time and escalation path to the security docs (authored by pietroalbini, committed by kristof.beyls). · Explain WhyOct 13 2020, 1:57 AM
This revision was automatically updated to reflect the committed changes.
kristof.beyls added a commit: rG05ef552e5660: Add expected response time and escalation path to the security docs.

Revision Contents

PathSize
llvm/
docs/
5 lines

Diff 297789

llvm/docs/Security.rst

Show First 20 LinesShow All 201 Lines▼ Show 20 Lines
* Language front-ends, such as clang, for which a malicious input file can cause undesirable behavior. For example, a maliciously-crafter C or Rust source file can cause arbitrary code to execute in LLVM. These parts of LLVM haven't been hardened, and compiling untrusted code usually also includes running utilities such as `make` which can more readily perform malicious things. * Language front-ends, such as clang, for which a malicious input file can cause undesirable behavior. For example, a maliciously-crafter C or Rust source file can cause arbitrary code to execute in LLVM. These parts of LLVM haven't been hardened, and compiling untrusted code usually also includes running utilities such as `make` which can more readily perform malicious things.
* *FUTURE*: this section will be expanded. * *FUTURE*: this section will be expanded.
.. _report-security-issue: .. _report-security-issue:
How to report a security issue? How to report a security issue?
=============================== ===============================
*FUTURE*: this section will be expanded once we’ve figured out other details above. *FUTURE*: this section will be expanded once we’ve figured out other details above. In the meantime, if you found a security issue please follow directly the escalation instructions below.
Not everyone who wants to report a security issue will be familiar with LLVM, its community, and processes. Therefore, this needs to be easy to find on the LLVM website, and set clear expectations to issue reporters. Not everyone who wants to report a security issue will be familiar with LLVM, its community, and processes. Therefore, this needs to be easy to find on the LLVM website, and set clear expectations to issue reporters.
We aim to acknowledge your report within two business days since you first reach out. If you do not receive any response by then, you can escalate by sending a message to the `llvm-dev mailing list`_ asking to get in touch with someone from the LLVM Security Group. **The escalation mailing list is public**: avoid discussing or mentioning the specific issue when posting on it.
.. _CVE process: https://cve.mitre.org .. _CVE process: https://cve.mitre.org
.. _chromium issue tracker: https://crbug.com .. _chromium issue tracker: https://crbug.com
.. _GitHub security: https://help.github.com/en/articles/about-maintainer-security-advisories .. _GitHub security: https://help.github.com/en/articles/about-maintainer-security-advisories
.. _llvm-dev mailing list: https://lists.llvm.org/mailman/listinfo/llvm-dev
.. _MITRE: https://cve.mitre.org .. _MITRE: https://cve.mitre.org