xref: /llvm-project/llvm/docs/Security.rst (revision 0e324b3f953d62527690b1cb44d95fcb3ec0512c) 
1============================
2LLVM Security Response Group
3============================
4
5The LLVM Security Response Group has the following goals:
6
71. Allow LLVM contributors and security researchers to disclose security-related issues affecting the LLVM project to members of the LLVM community.
82. Organize fixes, code reviews, and release management for said issues.
93. Allow distributors time to investigate and deploy fixes before wide dissemination of vulnerabilities or mitigation shortcomings.
104. Ensure timely notification and release to vendors who package and distribute LLVM-based toolchains and projects.
115. Ensure timely notification to users of LLVM-based toolchains whose compiled code is security-sensitive, through the `CVE process`_.
12
13*Note*: these goals ensure timely action, provide disclosure timing when issues are reported, and respect vendors' / packagers' / users' constraints.
14
15The LLVM Security Response Group is private. It is composed of trusted LLVM contributors. Its discussions remain within the LLVM Security Response Group (plus issue reporter and key experts) while an issue is being investigated. After an issue becomes public, the entirety of the group’s discussions pertaining to that issue also become public.
16
17.. _report-security-issue:
18
19How to report a security issue?
20===============================
21
22To report a security issue in any of the LLVM projects, please use the `report a vulnerability`_ feature in the `llvm/llvm-security-repo`_ repository on github, under the "Security" tab.
23
24We aim to acknowledge your report within two business days since you first reach out. If you do not receive any response by then, you can escalate by posting on the `Discourse forums`_ asking to get in touch with someone from the LLVM Security Response Group. **The escalation mailing list is public**: avoid discussing or mentioning the specific issue when posting on it.
25
26
27Group Composition
28=================
29
30Security Response Group Members
31-------------------------------
32
33The members of the group represent a wide cross-section of the community, and
34meet the criteria for inclusion below. The list is in the format
35`* ${full_name} (${affiliation}) [${github_username}]`. If a github
36username for an individual isn't available, the brackets will be empty.
37
38* Abhay Kanhere (Apple) [@AbhayKanhere]
39* Ahmed Bougacha (Apple) [@ahmedbougacha]
40* Artur Pilipenko (Azul Systems Inc) []
41* Boovaragavan Dasarathan (Nvidia) [@mrragava]
42* Dimitry Andric (individual; FreeBSD) [@DimitryAndric]
43* Ed Maste (individual; FreeBSD) [@emaste]
44* George Burgess IV (Google) [@gburgessiv]
45* Josh Stone (Red Hat; Rust) [@cuviper]
46* Kristof Beyls (ARM) [@kbeyls]
47* Matthew Riley (Google) [@mmdriley]
48* Matthew Voss (Sony) [@ormris]
49* Nikhil Gupta (Nvidia) []
50* Oliver Hunt (Apple) [@ojhunt]
51* Peter Smith (ARM) [@smithp35]
52* Pietro Albini (Ferrous Systems; Rust) [@pietroalbini]
53* Serge Guelton (Mozilla) [@serge-sans-paille]
54* Sergey Zverev (Intel) [@offsake]
55* Shayne Hiet-Block (Microsoft) [@GreatKeeper]
56* Tim Penge (Sony) [@tpenge]
57* Tulio Magno Quites Machado Filho (Red Hat) [@tuliom]
58* Will Huhn (Intel) [@wphuhn-intel]
59* Yvan Roux (ST) [@yroux]
60
61Criteria
62--------
63
64* Nominees for LLVM Security Response Group membership should fall in one of these groups:
65
66  - Individual contributors:
67
68    + Specializes in fixing compiler-based security related issues or often participates in their exploration and resolution.
69    + Has a track record of finding security vulnerabilities and responsible disclosure of those vulnerabilities.
70    + Is a compiler expert who has specific interests in knowing about, resolving, and preventing future security vulnerabilities.
71    + Has actively contributed non-trivial code to the LLVM project in the last year.
72
73  - Researchers:
74
75    + Has a track record of finding security vulnerabilities and responsible disclosure of those vulnerabilities.
76    + Is a compiler expert who has specific interests in knowing about, resolving, and preventing future security vulnerabilities.
77
78  - Vendor contacts:
79
80    + Represents an organization or company which ships products that include their own copy of LLVM. Due to their position in the organization, the nominee has a reasonable need to know about security issues and disclosure embargoes.
81
82* Additionally, the following are necessary but not sufficient criteria for membership in the LLVM Security Response Group:
83
84  - If already in the LLVM Security Response Group, has actively participated in one (if any) security issue in the last year.
85  - If already in the LLVM Security Response Group, has actively participated in most membership discussions in the last year.
86  - If already in the LLVM Security Response Group, has actively participated in writing or reviewing a transparency report in the last year.
87  - When employed by a company or other entity, the parent entity has no more than three members already in the LLVM Security Response Group.
88  - When nominated as a vendor contact, their position with that vendor remains the same as when originally nominated.
89  - Nominees are trusted by existing LLVM Security Response Group members to keep communications embargoed while still active.
90
91Nomination process
92------------------
93
94Anyone who feels they meet these criteria can nominate themselves, or may be nominated by a third party such as an existing LLVM Security Response Group member. The nomination should state whether the nominee is nominated as an individual, researcher, or as a vendor contact. It should clearly describe the grounds for nomination.
95
96For the moment, nominations are generally proposed, discussed, and voted on using a github pull request. An `example nomination is available here`_. The use of pull requests helps keep membership discussions open, transparent, and easily accessible to LLVM developers in many ways. If, for any reason, a fully-world-readable nomination seems inappropriate, you may reach out to the LLVM Security Response Group via the `report a vulnerability`_ route, and a discussion can be had about the best way to approach nomination, given the constraints that individuals are under.
97
98Choosing new members
99--------------------
100
101If a nomination for LLVM Security Response Group membership is supported by a majority of existing LLVM Security Response Group members, then it carries within five business days unless an existing member of the Security Response Group objects. If an objection is raised, the LLVM Security Response Group members should discuss the matter and try to come to consensus; failing this, the nomination will succeed only by a two-thirds supermajority vote of the LLVM Security Response Group.
102
103Accepting membership
104--------------------
105
106Before new LLVM Security Response Group membership is finalized, the successful nominee should accept membership and agree to abide by this security policy, particularly `Privileges and Responsibilities of LLVM Security Response Group Members`_ below.
107
108Keeping Membership Current
109--------------------------
110
111* At least every six months, the LLVM Security Response Group applies the above criteria. The membership list is pruned accordingly.
112* Any LLVM Security Response Group member can ask that the criteria be applied within the next five business days.
113* If a member of the LLVM Security Response Group does not act in accordance with the letter and spirit of this policy, then their LLVM Security Response Group membership can be revoked by a majority vote of the members, not including the person under consideration for revocation. After a member calls for a revocation vote, voting will be open for five business days.
114* Emergency suspension: an LLVM Security Response Group member who blatantly disregards the LLVM Security Policy may have their membership temporarily suspended on the request of any two members. In such a case, the requesting members should notify the LLVM Security Response Group with a description of the offense. At this point, membership will be temporarily suspended for five business days, pending outcome of the vote for permanent revocation.
115* The LLVM Board may remove any member from the LLVM Security Response Group.
116
117Transparency Report
118-------------------
119
120Every year, the LLVM Security Response Group must publish a transparency report. The intent of this report is to keep the community informed by summarizing the disclosures that have been made public in the last year. It shall contain a list of all public disclosures, as well as statistics on time to fix issues, length of embargo periods, and so on.
121
122The transparency reports are published at :doc:`SecurityTransparencyReports`.
123
124
125Privileges and Responsibilities of LLVM Security Response Group Members
126=======================================================================
127
128Access
129------
130
131LLVM Security Response Group members will be subscribed to a private `Discussion Medium`_. It will be used for technical discussions of security issues, as well as process discussions about matters such as disclosure timelines and group membership. Members have access to all security issues.
132
133Confidentiality
134---------------
135
136Members of the LLVM Security Response Group will be expected to treat LLVM security issue information shared with the group as confidential until publicly disclosed:
137
138* Members should not disclose security issue information to non-members unless both members are employed by the same vendor of a LLVM based product, in which case information can be shared within that organization on a need-to-know basis and handled as confidential information normally is within that organization.
139* If the LLVM Security Response Group agrees, designated members may share issues with vendors of non-LLVM based products if their product suffers from the same issue. The non-LLVM vendor should be asked to respect the issue’s embargo date, and to not share the information beyond the need-to-know people within their organization.
140* If the LLVM Security Response Group agrees, key experts can be brought in to help address particular issues. The key expert should be asked to respect the issue’s embargo date, and to not share the information.
141
142Disclosure
143----------
144
145Following the process below, the LLVM Security Response Group decides on embargo date for public disclosure for each Security issue. An embargo may be lifted before the agreed-upon date if all vendors planning to ship a fix have already done so, and if the reporter does not object.
146
147Collaboration
148-------------
149
150Members of the LLVM Security Response Group are expected to:
151
152* Promptly share any LLVM vulnerabilities they become aware of.
153* Volunteer to drive issues forward.
154* Help evaluate the severity of incoming issues.
155* Help write and review patches to address security issues.
156* Participate in the member nomination and removal processes.
157
158
159Discussion Medium
160=================
161
162The medium used to host LLVM Security Response Group discussions is security-sensitive. It should therefore run on infrastructure which can meet our security expectations.
163
164We use `GitHub's mechanism to privately report security vulnerabilities`_ to have security discussions:
165
166* File security issues.
167* Discuss security improvements to LLVM.
168
169We also occasionally need to discuss logistics of the LLVM Security Response Group itself:
170
171* Nominate new members.
172* Propose member removal.
173* Suggest policy changes.
174
175We often have these discussions publicly, in our :ref:`monthly public sync-up call <online-sync-ups>` and on the Discourse forums.  For internal or confidential discussions, we also use a private mailing list.
176
177Process
178=======
179
180The following process occurs on the discussion medium for each reported issue:
181
182* A security issue reporter (not necessarily an LLVM contributor) reports an issue.
183* Within two business days, a member of the LLVM Security Response Group is put in charge of driving the issue to an acceptable resolution. This champion doesn’t need to be the same person for each issue. This person can self-nominate.
184* Members of the LLVM Security Response Group discuss in which circumstances (if any) an issue is relevant to security, and determine if it is a security issue.
185* Negotiate an embargo date for public disclosure, with a default minimum time limit of ninety days.
186* LLVM Security Response Group members can recommend that key experts be pulled in to specific issue discussions. The key expert can be pulled in unless there are objections from other LLVM Security Response Group members.
187* Patches are written and reviewed.
188* Backporting security patches from recent versions to old versions cannot always work. It is up to the LLVM Security Response Group to decide if such backporting should be done, and how far back.
189* The LLVM Security Response Group figures out how the LLVM project’s own releases, as well as individual vendors’ releases, can be timed to patch the issue simultaneously.
190* Embargo date can be delayed or pulled forward at the LLVM Security Response Group’s discretion.
191* The issue champion obtains a CVE entry from MITRE_.
192* Once the embargo expires, the patch is posted publicly according to LLVM’s usual code review process.
193* All security issues (as well as nomination / removal discussions) become public within approximately fourteen weeks of the fix landing in the LLVM repository. Precautions should be taken to avoid disclosing particularly sensitive data included in the report (e.g. username and password pairs).
194
195
196Changes to the Policy
197=====================
198
199The LLVM Security Policy may be changed by majority vote of the LLVM Security Response Group. Such changes also need to be approved by the LLVM Board.
200
201
202What is considered a security issue?
203====================================
204
205The LLVM Project has a significant amount of code, and not all of it is
206considered security-sensitive. This is particularly true because LLVM is used in
207a wide variety of circumstances: there are different threat models, untrusted
208inputs differ, and the environment LLVM runs in is varied. Therefore, what the
209LLVM Project considers a security issue is what its members have signed up to
210maintain securely.
211
212As this security process matures, members of the LLVM community can propose that
213a part of the codebase be designated as security-sensitive (or no longer
214security-sensitive). This requires a rationale, and buy-in from the LLVM
215community as for any RFC. In some cases, parts of the codebase could be handled
216as security-sensitive but need significant work to get to the stage where that's
217manageable. The LLVM community will need to decide whether it wants to invest in
218making these parts of the code securable, and maintain these security
219properties over time. In all cases the LLVM Security Response Group should be consulted,
220since they'll be responding to security issues filed against these parts of the
221codebase.
222
223If you're not sure whether an issue is in-scope for this security process or
224not, err towards assuming that it is. The Security Response Group might agree or disagree
225and will explain its rationale in the report, as well as update this document
226through the above process.
227
228The security-sensitive parts of the LLVM Project currently are the following.
229Note that this list can change over time.
230
231* None are currently defined. Please don't let this stop you from reporting
232  issues to the LLVM Security Response Group that you believe are security-sensitive.
233
234The parts of the LLVM Project which are currently treated as non-security
235sensitive are the following. Note that this list can change over time.
236
237* Language front-ends, such as clang, for which a malicious input file can cause
238  undesirable behavior. For example, a maliciously crafted C or Rust source file
239  can cause arbitrary code to execute in LLVM. These parts of LLVM haven't been
240  hardened, and compiling untrusted code usually also includes running utilities
241  such as `make` which can more readily perform malicious things.
242
243
244.. _CVE process: https://cve.mitre.org
245.. _report a vulnerability: https://github.com/llvm/llvm-security-repo/security/advisories/new
246.. _llvm/llvm-security-repo: https://github.com/llvm/llvm-security-repo/security
247.. _GitHub's mechanism to privately report security vulnerabilities: https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability
248.. _GitHub security: https://help.github.com/en/articles/about-maintainer-security-advisories
249.. _Discourse forums: https://discourse.llvm.org
250.. _MITRE: https://cve.mitre.org
251.. _example nomination is available here: https://github.com/llvm/llvm-project/pull/92174
252