Lines Matching +full:pull +full:- +full:requests
7 1. Allow LLVM contributors and security researchers to disclose security-related issues affecting the LLVM project to members of the LLVM community.
10 4. Ensure timely notification and release to vendors who package and distribute LLVM-based toolchains and projects.
11 5. Ensure timely notification to users of LLVM-based toolchains whose compiled code is security-sensitive, through the `CVE process`_.
17 .. _report-security-issue:
22 To report a security issue in any of the LLVM projects, please use the `report a vulnerability`_ feature in the `llvm/llvm-security-repo`_ repository on github, under the "Security" tab.
31 -------------------------------
33 The members of the group represent a wide cross-section of the community, and
53 * Serge Guelton (Mozilla) [@serge-sans-paille]
55 * Shayne Hiet-Block (Microsoft) [@GreatKeeper]
58 * Will Huhn (Intel) [@wphuhn-intel]
62 --------
66 - Individual contributors:
68 + Specializes in fixing compiler-based security related issues or often participates in their exploration and resolution.
71 + Has actively contributed non-trivial code to the LLVM project in the last year.
73 - Researchers:
78 - Vendor contacts:
84 - If already in the LLVM Security Response Group, has actively participated in one (if any) security issue in the last year.
85 - If already in the LLVM Security Response Group, has actively participated in most membership discussions in the last year.
86 - If already in the LLVM Security Response Group, has actively participated in writing or reviewing a transparency report in the last year.
87 - When employed by a company or other entity, the parent entity has no more than three members already in the LLVM Security Response Group.
88 - When nominated as a vendor contact, their position with that vendor remains the same as when originally nominated.
89 - Nominees are trusted by existing LLVM Security Response Group members to keep communications embargoed while still active.
92 ------------------
96 For the moment, nominations are generally proposed, discussed, and voted on using a github pull request. An `example nomination is available here`_. The use of pull requests helps keep membership discussions open, transparent, and easily accessible to LLVM developers in many ways. If, for any reason, a fully-world-readable nomination seems inappropriate, you may reach out to the LLVM Security Response Group via the `report a vulnerability`_ route, and a discussion can be had about the best way to approach nomination, given the constraints that individuals are under.
99 --------------------
101 If a nomination for LLVM Security Response Group membership is supported by a majority of existing LLVM Security Response Group members, then it carries within five business days unless an existing member of the Security Response Group objects. If an objection is raised, the LLVM Security Response Group members should discuss the matter and try to come to consensus; failing this, the nomination will succeed only by a two-thirds supermajority vote of the LLVM Security Response Group.
104 --------------------
109 --------------------------
118 -------------------
129 ------
134 ---------------
138 * Members should not disclose security issue information to non-members unless both members are employed by the same vendor of a LLVM based product, in which case information can be shared within that organization on a need-to-know basis and handled as confidential information normally is within that organization.
139 * If the LLVM Security Response Group agrees, designated members may share issues with vendors of non-LLVM based products if their product suffers from the same issue. The non-LLVM vendor should be asked to respect the issue’s embargo date, and to not share the information beyond the need-to-know people within their organization.
143 ----------
145 Following the process below, the LLVM Security Response Group decides on embargo date for public disclosure for each Security issue. An embargo may be lifted before the agreed-upon date if all vendors planning to ship a fix have already done so, and if the reporter does not object.
148 -------------
162 The medium used to host LLVM Security Response Group discussions is security-sensitive. It should therefore run on infrastructure which can meet our security expectations.
175 We often have these discussions publicly, in our :ref:`monthly public sync-up call <online-sync-ups>` and on the Discourse forums. For internal or confidential discussions, we also use a private mailing list.
183 * Within two business days, a member of the LLVM Security Response Group is put in charge of driving the issue to an acceptable resolution. This champion doesn’t need to be the same person for each issue. This person can self-nominate.
206 considered security-sensitive. This is particularly true because LLVM is used in
213 a part of the codebase be designated as security-sensitive (or no longer
214 security-sensitive). This requires a rationale, and buy-in from the LLVM
216 as security-sensitive but need significant work to get to the stage where that's
223 If you're not sure whether an issue is in-scope for this security process or
228 The security-sensitive parts of the LLVM Project currently are the following.
232 issues to the LLVM Security Response Group that you believe are security-sensitive.
234 The parts of the LLVM Project which are currently treated as non-security
237 * Language front-ends, such as clang, for which a malicious input file can cause
245 .. _report a vulnerability: https://github.com/llvm/llvm-security-repo/security/advisories/new
246 .. _llvm/llvm-security-repo: https://github.com/llvm/llvm-security-repo/security
247 .. _GitHub's mechanism to privately report security vulnerabilities: https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability
248 .. _GitHub security: https://help.github.com/en/articles/about-maintainer-security-advisories
251 .. _example nomination is available here: https://github.com/llvm/llvm-project/pull/92174