summaryrefslogtreecommitdiff
path: root/chromium/docs/security/security-labels.md
diff options
context:
space:
mode:
Diffstat (limited to 'chromium/docs/security/security-labels.md')
-rw-r--r--chromium/docs/security/security-labels.md21
1 files changed, 20 insertions, 1 deletions
diff --git a/chromium/docs/security/security-labels.md b/chromium/docs/security/security-labels.md
index 45e24a378a8..deb7c037dae 100644
--- a/chromium/docs/security/security-labels.md
+++ b/chromium/docs/security/security-labels.md
@@ -121,7 +121,8 @@ Other cases where it's OK to set **Security_Impact-None**:
Cases where it's *not* OK to set **Security_Impact-None**:
* Features enabled via normal UI or settings which users might happen across
- in normal usage. For instance, accessibility features.
+ in normal usage. For instance, accessibility features and the Chrome Labs
+ experimental features accessible from the toolbar.
* Origin trials. Origin trials are only active on some websites, but the
affected code does run for Chrome users with the default Chrome configuration.
* The impacted code runs behind a feature flag which is *enabled by default*,
@@ -161,6 +162,24 @@ the pathname.)
OS, and perhaps Fuchsia (?). Views for macOS is increasingly a thing, but Cocoa
code (e.g. `ui/message_center/cocoa`) is particular to macOS.
+## After the bug is fixed: Merge labels {#TOC-Merge-labels}
+
+Once you've landed a complete fix for a security bug, please immediately
+mark the bug as Fixed. Do not request merges: Sheriffbot will request
+appropriate merges to beta or stable according to our guidelines.
+However, it is really helpful if you comment upon any unusual stability or
+compatibility risks of merging.
+
+(Some Chromium teams traditionally deal with merges _before_ marking bugs as
+Fixed. Please don't do that for security bugs.)
+
+Please take the opportunity to consider whether there are any variants
+or related problems. It's very common for attackers to tweak working attack code
+to exploit a similar situation elsewhere. If you've even the remotest thought
+that there _might_ be equivalent patterns or variants elsewhere, file a bug
+with type=Bug-Security. It can be nearly blank. The important thing is to record
+the fact that something may need doing.
+
## Sheriffbot automation
Security labels guide the actions taken by
View Lorry Controller Status