From 05ef552e5660d05cb6cd730c734e709d8323fd6f Mon Sep 17 00:00:00 2001 From: Pietro Albini Date: Tue, 13 Oct 2020 10:51:26 +0200 Subject: [PATCH] Add expected response time and escalation path to the security docs Following up on the discussion within the group during the roundtable at the 2020 LLVM Developers Meeting, this commit adds to the security docs: * How long we expect acknowledging security reports will take * The escalation path the reporter can follow if they get no response A temporary line inviting reporters to directly follow the escalation path while the mailing list is being setup is also added. Differential Revision: https://reviews.llvm.org/D89068 --- llvm/docs/Security.rst | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/llvm/docs/Security.rst b/llvm/docs/Security.rst index 8f71db1..d73a9e8 100644 --- a/llvm/docs/Security.rst +++ b/llvm/docs/Security.rst @@ -207,13 +207,14 @@ The parts of the LLVM Project which are currently treated as non-security sensit How to report a security issue? =============================== -*FUTURE*: this section will be expanded once we’ve figured out other details above. +*FUTURE*: this section will be expanded once we’ve figured out other details above. In the meantime, if you found a security issue please follow directly the escalation instructions below. Not everyone who wants to report a security issue will be familiar with LLVM, its community, and processes. Therefore, this needs to be easy to find on the LLVM website, and set clear expectations to issue reporters. - +We aim to acknowledge your report within two business days since you first reach out. If you do not receive any response by then, you can escalate by sending a message to the `llvm-dev mailing list`_ asking to get in touch with someone from the LLVM Security Group. **The escalation mailing list is public**: avoid discussing or mentioning the specific issue when posting on it. .. _CVE process: https://cve.mitre.org .. _chromium issue tracker: https://crbug.com .. _GitHub security: https://help.github.com/en/articles/about-maintainer-security-advisories +.. _llvm-dev mailing list: https://lists.llvm.org/mailman/listinfo/llvm-dev .. _MITRE: https://cve.mitre.org -- 2.7.4