| Robert Sesek | e4d979b | 2022-07-11 23:22:14 | [diff] [blame^] | 1 | # Life of a Security Issue |
| 2 | |
| 3 | This page will help you understand the life cycle of a manually-reported |
| 4 | external security bug in the Chromium project. Internally reported and |
| 5 | fuzzer-found bugs follow a similar lifecycle, though specific details vary. The |
| 6 | process can be visualized at a high level using the state diagram below, and |
| 7 | further explanation is provided in the paragraphs that follow. |
| 8 | |
| 9 |  |
| 10 | |
| 11 | <pre style="display:none" data-note="Source code for sequence diagram. Gitiles will not display this."> |
| 12 | <!-- |
| 13 | https://mermaid.live/edit#pako:eNqNU71uwjAQfpWTh070BTJUqgKd2goBYiEdLvZBLBw79Q9thHj3OpAgklCJJUpy39_d2UfGjSCWMEffgTSnqcSdxTLTmcfgjQ5lTrb5qtB6yWWF2sOCKmP9-P-SeLDS17Cii8RtcUoHUqY6s2Kp03h-eenRklYd8rBrcL3iGLyyMTD9B756JvDqnNzpFhihn8YTmAPZazeTG_QmNdoF5dFLo78ujGt5IBx8YSygFqCaR_oORkOJckQaRP9Au2_yADrI2Jv8JZGxi1W_j1Ej5Bxso2eOfN9kd8OAfUZakLU1VJLv78mPgq0Xc5ijJnUP203rOtEnqLAGSz9oxUOEdD17IMQ85Eq6IgorQkfRxnUAHVfnBqeoZ7Q5k7mqQUjHlXEUV8gmrCQb9yLicT9mGuLQfUElZSyJr4K2GBfebOAUoaES6GkmpDeWJVtUjiasuRHLWnOWeBuoA7VXpkWd_gADszf5 |
| 14 | --> |
| 15 | |
| 16 | sequenceDiagram |
| 17 | autonumber |
| 18 | participant Reporter |
| 19 | participant Security Team |
| 20 | participant Developer |
| 21 | |
| 22 | Reporter->>Security Team: Report bug |
| 23 | Security Team->>Security Team: Triage bug |
| 24 | Security Team->>Developer: Assign bug |
| 25 | |
| 26 | Note over Reporter,Developer: [Consultation] |
| 27 | |
| 28 | Developer->>Developer: Author and land CL on main |
| 29 | Developer->>Security Team: Mark bug as "Fixed" |
| 30 | |
| 31 | Security Team-->>Developer: Assess for backports |
| 32 | |
| 33 | Developer-->>Developer: Cherry pick |
| 34 | |
| 35 | Security Team->>Security Team: VRP Panel |
| 36 | Security Team->>Reporter: Assign & pay reward |
| 37 | Security Team->>Reporter: Assign CVE |
| 38 | Security Team->>Security Team: Publish release & security notes |
| 39 | |
| 40 | Reporter-->>Reporter: [Publicly disclose] |
| 41 | </pre> |
| 42 | |
| 43 | ## 1. Report bug |
| 44 | |
| 45 | A security bug begins when a reporter [responsibly |
| 46 | discloses](https://www.chromium.org/Home/chromium-security/reporting-security-bugs/) |
| 47 | a bug in the [Chromium issue |
| 48 | tracker](https://code.google.com/p/chromium/issues/entry?template=Security%20Bug). |
| 49 | The new bug is placed in a queue of other incoming security bugs, and it is |
| 50 | view-restricted to the reporter and select individuals on a need-to-know |
| 51 | basis. |
| 52 | |
| 53 | Bug reports that include specific steps to reproduce, analysis, proofs of |
| 54 | concept, and/or suggested patches are encouraged. Please also check the |
| 55 | [FAQ](faq.md) to learn about issues that are frequently reported. |
| 56 | |
| 57 | ## 2. Triage bug |
| 58 | |
| 59 | After the bug is filed, a [security sheriff](sheriff.md) will evaluate the |
| 60 | report. The sheriff does several tasks: |
| 61 | |
| 62 | - Validate that the bug reproduces |
| 63 | - Searching for any duplicate reports |
| 64 | - Tag the bug with components |
| 65 | - Assess the bug's [severity](severity-guidelines.md) |
| 66 | - Determine the versions affected |
| 67 | - Assign the bug to a developer |
| 68 | |
| 69 | ## 3. Assign bug |
| 70 | |
| 71 | The primary job of the sheriff is to route valid and actionable reports of |
| 72 | security bugs to the Chromium developer who is best poised to fix the issue. |
| 73 | |
| 74 | After the issue is assigned, there may be discussion between the developer(s) |
| 75 | involved, members of the security team, and the original reporter. |
| 76 | |
| 77 | ## 4. Author and land a CL on `main` |
| 78 | |
| 79 | The developer will author a fix and a regression test for the security issue. |
| 80 | Once the CL lands, it will not yet be widely available to users, since it is |
| 81 | only in the `main` branch. Unless further steps are taken (see below), the fix |
| 82 | will roll out as part of the normal [release |
| 83 | process](../process/release_cycle.md). |
| 84 | |
| 85 | Reporters are welcome to include a suggested patch in the report or to [upload a |
| 86 | CL](../contributing.md) with the fix. In that case, the developer assigned to |
| 87 | the bug can help code review and land it. |
| 88 | |
| 89 | ## 5. Mark bug as *Fixed* |
| 90 | |
| 91 | Once the CL has landed, the developer should set the bug's status to *Fixed*. |
| 92 | When the bug moves into the *Fixed* state, the security team's automation |
| 93 | systems begin processing the bug report. In particular, the tools will add |
| 94 | [merge request](../process/merge_request.md) labels, based on the severity and |
| 95 | impact assessed by the sheriff during triage. |
| 96 | |
| 97 | ## 6. Assess for backports |
| 98 | |
| 99 | A member of the security team or a security technical program manager (TPM) will |
| 100 | make the [final |
| 101 | determination](https://www.chromium.org/Home/chromium-security/security-release-management/) |
| 102 | as to whether backports of the fix should occur to Stable and/or pre-Stable |
| 103 | Chrome release channels. |
| 104 | |
| 105 | ## 7. Cherry pick |
| 106 | |
| 107 | If approved for backporting, the developer will [cherry |
| 108 | pick](../process/merge_request.md#landing-an-approved-merge) the CL to the |
| 109 | release branches identified by the security TPM. |
| 110 | |
| 111 | ## 8. VRP Panel |
| 112 | |
| 113 | Members of the security team meet regularly as a panel to assess [vulnerability |
| 114 | rewards](vrp-faq.md) for externally reported security bugs. The individuals on |
| 115 | the panel will [take into account](https://g.co/chrome/vrp) the severity and |
| 116 | impact of the bug, the quality of the bug report, whether a patch/fix was |
| 117 | proposed with the report, and other mitigating circumstances. The VRP panel will |
| 118 | assign any reward amount for the bug. |
| 119 | |
| 120 | ## 9. Assign and pay reward |
| 121 | |
| 122 | After the VRP panel meets, the reporter will be notified of the VRP reward |
| 123 | decision through the bug report, and a label will be applied with the VRP reward |
| 124 | amount. |
| 125 | |
| 126 | ## 10. Assign CVE |
| 127 | |
| 128 | At the time that the security fix is shipped to a Stable channel release, a |
| 129 | security TPM will assign the issue a [CVE](https://www.cve.org/) number. CVE |
| 130 | numbers need to point to a publicly accessible artifact, and Chrome uses the |
| 131 | releases blog (see below) for this purpose. |
| 132 | |
| 133 | ## 11. Publish release & security notes |
| 134 | |
| 135 | The Chrome Release team releases an update of Chrome containing the security |
| 136 | fix. If the fix is included in a Stable channel release of Chrome, it will be |
| 137 | listed and acknowledged in the security fix notes on the [Chrome Releases |
| 138 | blog](https://googlechromereleases.blogspot.com/). Security issues will be |
| 139 | highlighted with a short description, any reward amount, the CVE number, and |
| 140 | acknowledging the reporter as requested (if they have consented to such). |
| 141 | |
| 142 | ## 12. Publicly disclose |
| 143 | |
| 144 | Except in rare circumstances where the bug report has been embargoed, 14 weeks |
| 145 | after the issue is marked *Fixed*, security automation opens the bug for public |
| 146 | disclosure. At that time, the reporter can consider their obligations under |
| 147 | responsible disclosure to be fulfilled. |
