1========================================
2LLVM Security Group Transparency Reports
3========================================
4
5This page lists the yearly LLVM Security group transparency reports.
6
72021
8----
9
10The :doc:`LLVM security group <Security>` was established on the 10th of July
112020 by the act of the `initial
12commit <https://github.com/llvm/llvm-project/commit/7bf73bcf6d93>`_ describing
13the purpose of the group and the processes it follows.  Many of the group's
14processes were still not well-defined enough for the group to operate well.
15Over the course of 2021, the key processes were defined well enough to enable
16the group to operate reasonably well:
17
18* We defined details on how to report security issues, see `this commit on
19  20th of May 2021 <https://github.com/llvm/llvm-project/commit/c9dbaa4c86d2>`_
20* We refined the nomination process for new group members, see `this
21  commit on 30th of July 2021 <https://github.com/llvm/llvm-project/commit/4c98e9455aad>`_
22* We started writing an annual transparency report (you're reading the 2021
23  report here).
24
25Over the course of 2021, we had 2 people leave the LLVM Security group and 4
26people join.
27
28In 2021, the security group received 13 issue reports that were made publicly
29visible before 31st of December 2021.  The security group judged 2 of these
30reports to be security issues:
31
32* https://bugs.chromium.org/p/llvm/issues/detail?id=5
33* https://bugs.chromium.org/p/llvm/issues/detail?id=11
34
35Both issues were addressed with source changes: #5 in clangd/vscode-clangd, and
36#11 in llvm-project.  No dedicated LLVM release was made for either.
37
38We believe that with the publishing of this first annual transparency report,
39the security group now has implemented all necessary processes for the group to
40operate as promised. The group's processes can be improved further, and we do
41expect further improvements to get implemented in 2022. Many of the potential
42improvements end up being discussed on the `monthly public call on LLVM's
43security group <https://llvm.org/docs/GettingInvolved.html#online-sync-ups>`_.
44
45