blob: b0966580e7c760c72b95c43e25b0d2a7a5ac6701 [file] [log] [blame] [view]
Robert Seseke4d979b2022-07-11 23:22:141# Life of a Security Issue
2
3This page will help you understand the life cycle of a manually-reported
4external security bug in the Chromium project. Internally reported and
5fuzzer-found bugs follow a similar lifecycle, though specific details vary. The
6process can be visualized at a high level using the state diagram below, and
7further explanation is provided in the paragraphs that follow.
8
9![alt text](life-of-a-security-issue.png "Sequence diagram of the life of a security issue")
10
11<pre style="display:none" data-note="Source code for sequence diagram. Gitiles will not display this.">
12<!--
13https://mermaid.live/edit#pako:eNqNU71uwjAQfpWTh070BTJUqgKd2goBYiEdLvZBLBw79Q9thHj3OpAgklCJJUpy39_d2UfGjSCWMEffgTSnqcSdxTLTmcfgjQ5lTrb5qtB6yWWF2sOCKmP9-P-SeLDS17Cii8RtcUoHUqY6s2Kp03h-eenRklYd8rBrcL3iGLyyMTD9B756JvDqnNzpFhihn8YTmAPZazeTG_QmNdoF5dFLo78ujGt5IBx8YSygFqCaR_oORkOJckQaRP9Au2_yADrI2Jv8JZGxi1W_j1Ej5Bxso2eOfN9kd8OAfUZakLU1VJLv78mPgq0Xc5ijJnUP203rOtEnqLAGSz9oxUOEdD17IMQ85Eq6IgorQkfRxnUAHVfnBqeoZ7Q5k7mqQUjHlXEUV8gmrCQb9yLicT9mGuLQfUElZSyJr4K2GBfebOAUoaES6GkmpDeWJVtUjiasuRHLWnOWeBuoA7VXpkWd_gADszf5
14-->
15
16sequenceDiagram
17 autonumber
18 participant Reporter
19 participant Security Team
20 participant Developer
21
22 Reporter->>Security Team: Report bug
23 Security Team->>Security Team: Triage bug
24 Security Team->>Developer: Assign bug
25
26 Note over Reporter,Developer: [Consultation]
27
28 Developer->>Developer: Author and land CL on main
29 Developer->>Security Team: Mark bug as "Fixed"
30
31 Security Team-->>Developer: Assess for backports
32
33 Developer-->>Developer: Cherry pick
34
35 Security Team->>Security Team: VRP Panel
36 Security Team->>Reporter: Assign & pay reward
37 Security Team->>Reporter: Assign CVE
38 Security Team->>Security Team: Publish release & security notes
39
40 Reporter-->>Reporter: [Publicly disclose]
41</pre>
42
43## 1. Report bug
44
45A security bug begins when a reporter [responsibly
46discloses](https://www.chromium.org/Home/chromium-security/reporting-security-bugs/)
47a bug in the [Chromium issue
48tracker](https://code.google.com/p/chromium/issues/entry?template=Security%20Bug).
49The new bug is placed in a queue of other incoming security bugs, and it is
50view-restricted to the reporter and select individuals on a need-to-know
51basis.
52
53Bug reports that include specific steps to reproduce, analysis, proofs of
54concept, and/or suggested patches are encouraged. Please also check the
55[FAQ](faq.md) to learn about issues that are frequently reported.
56
57## 2. Triage bug
58
59After the bug is filed, a [security sheriff](sheriff.md) will evaluate the
60report. The sheriff does several tasks:
61
62- Validate that the bug reproduces
63- Searching for any duplicate reports
64- Tag the bug with components
65- Assess the bug's [severity](severity-guidelines.md)
66- Determine the versions affected
67- Assign the bug to a developer
68
69## 3. Assign bug
70
71The primary job of the sheriff is to route valid and actionable reports of
72security bugs to the Chromium developer who is best poised to fix the issue.
73
74After the issue is assigned, there may be discussion between the developer(s)
75involved, members of the security team, and the original reporter.
76
77## 4. Author and land a CL on `main`
78
79The developer will author a fix and a regression test for the security issue.
80Once the CL lands, it will not yet be widely available to users, since it is
81only in the `main` branch. Unless further steps are taken (see below), the fix
82will roll out as part of the normal [release
83process](../process/release_cycle.md).
84
85Reporters are welcome to include a suggested patch in the report or to [upload a
86CL](../contributing.md) with the fix. In that case, the developer assigned to
87the bug can help code review and land it.
88
89## 5. Mark bug as *Fixed*
90
91Once the CL has landed, the developer should set the bug's status to *Fixed*.
92When the bug moves into the *Fixed* state, the security team's automation
93systems begin processing the bug report. In particular, the tools will add
94[merge request](../process/merge_request.md) labels, based on the severity and
95impact assessed by the sheriff during triage.
96
97## 6. Assess for backports
98
99A member of the security team or a security technical program manager (TPM) will
100make the [final
101determination](https://www.chromium.org/Home/chromium-security/security-release-management/)
102as to whether backports of the fix should occur to Stable and/or pre-Stable
103Chrome release channels.
104
105## 7. Cherry pick
106
107If approved for backporting, the developer will [cherry
108pick](../process/merge_request.md#landing-an-approved-merge) the CL to the
109release branches identified by the security TPM.
110
111## 8. VRP Panel
112
113Members of the security team meet regularly as a panel to assess [vulnerability
114rewards](vrp-faq.md) for externally reported security bugs. The individuals on
115the panel will [take into account](https://g.co/chrome/vrp) the severity and
116impact of the bug, the quality of the bug report, whether a patch/fix was
117proposed with the report, and other mitigating circumstances. The VRP panel will
118assign any reward amount for the bug.
119
120## 9. Assign and pay reward
121
122After the VRP panel meets, the reporter will be notified of the VRP reward
123decision through the bug report, and a label will be applied with the VRP reward
124amount.
125
126## 10. Assign CVE
127
128At the time that the security fix is shipped to a Stable channel release, a
129security TPM will assign the issue a [CVE](https://www.cve.org/) number. CVE
130numbers need to point to a publicly accessible artifact, and Chrome uses the
131releases blog (see below) for this purpose.
132
133## 11. Publish release & security notes
134
135The Chrome Release team releases an update of Chrome containing the security
136fix. If the fix is included in a Stable channel release of Chrome, it will be
137listed and acknowledged in the security fix notes on the [Chrome Releases
138blog](https://googlechromereleases.blogspot.com/). Security issues will be
139highlighted with a short description, any reward amount, the CVE number, and
140acknowledging the reporter as requested (if they have consented to such).
141
142## 12. Publicly disclose
143
144Except in rare circumstances where the bug report has been embargoed, 14 weeks
145after the issue is marked *Fixed*, security automation opens the bug for public
146disclosure. At that time, the reporter can consider their obligations under
147responsible disclosure to be fulfilled.