diff options
Diffstat (limited to 'chromium/docs/security/security-labels.md')
-rw-r--r-- | chromium/docs/security/security-labels.md | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/chromium/docs/security/security-labels.md b/chromium/docs/security/security-labels.md index 45e24a378a8..deb7c037dae 100644 --- a/chromium/docs/security/security-labels.md +++ b/chromium/docs/security/security-labels.md @@ -121,7 +121,8 @@ Other cases where it's OK to set **Security_Impact-None**: Cases where it's *not* OK to set **Security_Impact-None**: * Features enabled via normal UI or settings which users might happen across - in normal usage. For instance, accessibility features. + in normal usage. For instance, accessibility features and the Chrome Labs + experimental features accessible from the toolbar. * Origin trials. Origin trials are only active on some websites, but the affected code does run for Chrome users with the default Chrome configuration. * The impacted code runs behind a feature flag which is *enabled by default*, @@ -161,6 +162,24 @@ the pathname.) OS, and perhaps Fuchsia (?). Views for macOS is increasingly a thing, but Cocoa code (e.g. `ui/message_center/cocoa`) is particular to macOS. +## After the bug is fixed: Merge labels {#TOC-Merge-labels} + +Once you've landed a complete fix for a security bug, please immediately +mark the bug as Fixed. Do not request merges: Sheriffbot will request +appropriate merges to beta or stable according to our guidelines. +However, it is really helpful if you comment upon any unusual stability or +compatibility risks of merging. + +(Some Chromium teams traditionally deal with merges _before_ marking bugs as +Fixed. Please don't do that for security bugs.) + +Please take the opportunity to consider whether there are any variants +or related problems. It's very common for attackers to tweak working attack code +to exploit a similar situation elsewhere. If you've even the remotest thought +that there _might_ be equivalent patterns or variants elsewhere, file a bug +with type=Bug-Security. It can be nearly blank. The important thing is to record +the fact that something may need doing. + ## Sheriffbot automation Security labels guide the actions taken by |