Security Labels And Components

Bug database labels are used very heavily for security bugs. We rely on the labels being correct for a variety of reasons, including driving fixing efforts, driving release management efforts (merges and release notes) and also historical queries and data mining.

Because of the extent to which we rely on labels, it is an important part of the Security Sheriff duty to ensure that all security bugs are correctly tagged and managed. But even if you are not the Sheriff, please fix any labeling errors you happen upon.

Any issue that relates to security should have one of the following:

  • Security component: Features that are related to security.
  • Type-Bug-Security: Designates a security vulnerability that impacts users. This label should not be used for new features that relate to security, or general remediation/refactoring ideas. (Use the Security component for that.)

Labels Relevant For Any Type-Bug-Security

  • Security_Severity-{Critical, High, Medium, Low, None}: Designates the severity of a vulnerability according to our severity guidelines.

  • Pri-#: Priority should generally match Severity (but should be higher if there is evidence of active exploitation):

    • Security_Severity-Critical: Pri-0.
    • High and Medium: Pri-1.
    • Low: Pri-2.
  • FoundIn-#: Designates which milestones of Chrome are impacted by the bug. Multiple labels may be set, but the most important one is the earliest affected milestone. See ChromiumDash for current releases.

  • Security_Impact-{Head, Beta, Stable, Extended, None}: Derived from FoundIn, this label specifies the earliest affected release channel. Should not normally be set by humans, except in the case of None which means that the bug is in a disabled feature, or otherwise doesn't impact Chrome: see the section below for more details.

    • Note that Security_Severity should still be set on Security_Impact-None issues, as if the feature were enabled or the code reachable.
  • Restrict-View-{SecurityTeam, SecurityNotify, Google, SecurityEmbargo}: Labels that restrict access to the bug. Meaning and usage guidelines are as follows:

    • Restrict-View-SecurityTeam: Restricts access to members of security@chromium.org. This is the default that should be used for general security bugs that aren't sensitive otherwise.
    • Restrict-View-SecurityNotify: Restricts access to members of security-notify@chromium.org, which includes external parties who ship Chromium-based products and who need to know about available bug fixes. security@chromium.org is a member of that group so the former is a superset of the latter. Restrict-View-SecurityNotify is not suitable for sensitive bugs.
    • Restrict-View-SecurityNotifyWebRTC: As above, but additionally gives access to security-notify@webrtc.org, a community of downstream WebRTC embedders.
    • Restrict-View-Google: Restricts access to users that are Google employees (but also via their chromium.org accounts). This should be used for bugs that aren't OK for external contributors to see (even if we trust them with security work), for example due to:
      • legal reasons (bug affects a partner Google is under NDA and the information is subject to that)
      • the bug affecting more Google products than Chrome and Chrome OS
    • Restrict-View-SecurityEmbargo: Restricts access to security@chromium.org and and stops Sheriffbot from publishing the bug automatically. Use this if the bug in question is subject to disclosure decisions made externally, such as:
      • We receive advance notice of security bugs from an upstream open source project or Google partner and they organize a coordinated disclosure process. We'd remove the restriction label if/when the embargo gets lifted.
      • The reporter indicates a preference to remain anonymous an the bug history would give away the reporter‘s identity (if they file using an anonymous account, this doesn’t apply).

    If multiple restriction labels are appropriate, set all of them. Note that all restriction labels must be satisfied for a user to have access to a bug.

  • reward-{topanel, unpaid, na, inprocess, #}: Labels used in tracking bugs nominated for our Vulnerability Reward Program.

  • reward_to-. If a bug is filed by a Google or Chromium user on behalf of an external party, use reward_to to ensure the report is still properly credited to the external reporter in the release notes. Normally, the latter half of this label would be an e-mail address with ‘@’ replaced with ‘at’. But if the reporter was a whole organization or some other entity without a specific e-mail address, then reward_to-external is sufficient to ensure it is credited. Despite its name, you should add this label whether or not the reporter is in scope for the vulnerability rewards program, because external reports are credited in the release notes irrespective.

  • M-#: Target milestone for the fix.

  • Component: For bugs filed as Type-Bug-Security, we also want to track which component(s) the bug is in.

  • ReleaseBlock-Stable: When we find a security bug regression that has not yet shipped to stable, we use this label to try and prevent the security regression from ever affecting users of the Stable channel.

  • OS-{Chrome, Linux, Windows, ...}: Denotes which operating systems are affected.

  • Merge-{Request-?, Approved-?, Merged-?}: Security fixes are frequently merged to earlier release branches.

  • Release-#-M##: Denotes which exact patch a security fix made it into. This is more fine-grained than the M-# label. Release-0-M50 denotes the initial release of a M50 to Stable.

  • CVE-####-####: For security bugs that get assigned a CVE, we tag the appropriate bug(s) with the label for easy searching. Type-Bug-Security bugs should always have Security_Severity, Security_Impact, OS, Pri, M, Component, and an owner set.

When to use Security_Impact-None {#TOC-Security_Impact-None}

Security_Impact-None says that the bug can‘t affect any users running the default configuration of Chrome. It’s most commonly used for cases where code is entirely disabled or absent in the production build.

Other cases where it's OK to set Security_Impact-None:

  • The impacted code runs behind a feature flag which is disabled by default, and the field trial configuration has not been switched on.
  • The impacted code only runs behind a command-line flag or chrome://flags entry. (In particular, if a bug can only affect those who have set #enable-experimental-web-platform-features, it is Security_Impact-None.
  • It's a V8 feature behind flags such as --future, --es-staging or --wasm-staging or other experimental flags that are disabled by default.

Cases where it's not OK to set Security_Impact-None:

  • Features enabled via normal UI or settings which users might happen across in normal usage. For instance, accessibility features and the Chrome Labs experimental features accessible from the toolbar.
  • Origin trials. Origin trials are only active on some websites, but the affected code does run for Chrome users with the default Chrome configuration.
  • The impacted code runs behind a feature flag which is enabled by default, even if that field trial configuration has been switched off. That‘s because the code may be active for devices which can’t access the field trial configuration service.
  • The feature is turned on only for a small percent of users, e.g. 1%.
  • Feature or flag checks are done somewhere that the attacker could influence. For example a privilege escalation from a lower-privileged process (e.g. renderer) to a higher-privileged process (e.g. browser) assumes that the lower-privileged process is already compromised. The attacker could overwrite memory for any feature checks performed within that lower-privileged process; the bug only qualifies as impact None if checks are performed in the higher-privileged process.
  • If a bug involves a patch to a renderer or use of a flag to turn on MojoJS this may mean it's a simulation of a compromised renderer and the bug may still be a valid sandbox escape bug.

It‘s important to get this right, because this label influences how rapidly we merge and release the fix. Ask for help if you’re not sure.

Some Security_Impact-None bugs may still be subject to VRP rewards, if those bugs are found in found in code that we're likely to enable in the future.

OS Labels

It can be hard to know which OS(s) a bug applies to. Here are some guidelines:

  • Blink is used on all platforms except iOS. A (say) UAF in Blink is probably not particular to whatever platform it was found on; it's probably applicable to all.
  • The same is true of Skia, and the net/ code.
  • If the bug is in a file named foo_{win,linux,mac,...}.cc, it's specific to the named platform.
  • Java code is particular to Android.
  • Objective-C++ (foo.mm) is particular to macOS and iOS. (But note that most of our Objective-C++ is particular to macOS or iOS. You can usually tell by the pathname.)
  • Views code (e.g. ui/message_center/views) is used on Windows, Linux, Chrome OS, and perhaps Fuchsia (?). Views for macOS is increasingly a thing, but Cocoa code (e.g. ui/message_center/cocoa) is particular to macOS.

After the bug is fixed: Merge labels

Once you've landed a complete fix for a security bug, please immediately mark the bug as Fixed. Do not request merges: Sheriffbot will request appropriate merges to beta or stable according to our guidelines. However, it is really helpful if you comment upon any unusual stability or compatibility risks of merging.

(Some Chromium teams traditionally deal with merges before marking bugs as Fixed. Please don't do that for security bugs.)

Please take the opportunity to consider whether there are any variants or related problems. It‘s very common for attackers to tweak working attack code to exploit a similar situation elsewhere. If you’ve even the remotest thought that there might be equivalent patterns or variants elsewhere, file a bug with type=Bug-Security. It can be nearly blank. The important thing is to record the fact that something may need doing.

Sheriffbot automation

Security labels guide the actions taken by SheriffBot. The source of truth for the actual rule set is go/sheriffbot-source (sorry, Google employees only). The motivation behind these rules is to help automate the security bug life cycle so security sheriffs and security engineers in general spend less time updating bugs and can do more useful work instead.

The following sections describe the current set of rules relevant to security bugs. The list below only describes rules that change the labels described above. There are additional rules for sending nag messages and janitorial tasks; check the sheriffbot source for details.

Remove Invalid Release-# Labels

Only bugs that affect stable should carry a release label, this rule removes release labels that are set on bugs not affecting stable.

Remove Invalid Security_Impact-X Labels

There should be exactly one Security_Impact-X label and it should be one of the 5 valid impact labels (None, Extended, Stable, Beta, Head). This rule removes any invalid and excess impact labels.

Adjust Security_Impact-X To Match FoundIn Labels

Based on FoundIn-# milestone labels this rule assigns corresponding Security_Impact-X labels if they are incorrect or absent. Security_Impact-None is never changed.

Update M-# Labels

Bugs that are labelled with milestones earlier than the current milestone will be relabeled to set the label for the current milestone and Security_Impact-Extended.

Bugs that carry a Security_Impact-X label but are missing a milestone label will be assigned the M-# label corresponding to the respective milestone.

Set ReleaseBlock-X For Regressions

If there's a high or medium severity security regression in beta or ToT, add a ReleaseBlock-Stable label to prevent that regression to be shipped to users.

Similarly, critical security regressions are marked ReleaseBlock-Beta.

Adjust Pri-# To Match Severity

Adjust Pri-# according to the priority rules for severity labels described above. If there is evidence of active exploitation then a higher priority should be used.

Drop Restrict-View-{SecurityTeam,SecurityNotify} From Old And Fixed Bugs

Remove Restrict-View-SecurityTeam, Restrict-View-SecurityNotify and Restrict-View-SecurityNotifyWebRTC from security bugs that have been closed (Fixed, Verified, Duplicate, WontFix, Invalid) more than 14 weeks ago and add the allpublic label to make the bugs accessible publicly. The idea here is that security bug fixes will generally require 12 weeks to ship (2 release cycles for ToT changes to hit stable). This catches cases where the bug owner forgets to mark the bug public after the fix is released.

Set Restrict-View-SecurityNotify On Fixed Bugs

Replace Restrict-View-SecurityTeam with Restrict-View-SecurityNotify for fixed security bugs. Rationale is that while fixed bugs are generally not intended to become public immediately, we'd like to give access to external parties depending on Chromium via security-notify@chromium.org. (WebRTC bugs instead get set to Restrict-View-SecurityNotifyWebRTC).

Set Merge-Request-X For Fixed Bugs

Fixed security bugs that affect stable or beta and are critical or high severity will automatically trigger a merge request for the current beta branch, and perhaps stable if also impacted.

Drop ReleaseBlock-X Labels From Security_Impact-None Bugs

No need to stop a release if the bug doesn't have any consequences.

Set Status:Fixed For Open Security Bugs With Merge Labels

Security bugs that have a merge label (but excluding bugs with component:OS) are marked as fixed automatically. The rationale is that if something gets merged to a release branch, there's a high likelihood that the bug is actually fixed.

An Example

Given the importance and volume of labels, an example might be useful.

  1. An external researcher files a security bug, with a repro that demonstrates memory corruption against the latest (e.g.) M29 dev channel. The labels Restrict-View-SecurityTeam and Type-Bug-Security will be applied.
  2. The sheriff jumps right on it and uses ClusterFuzz to confirm that the bug is a novel and nasty-looking buffer overflow in the renderer process. ClusterFuzz also confirms that all current releases are affected. Since M27 is the current Stable release, and M28 is in Beta, we add the labels of the earliest affected release: FoundIn-27. The severity of a buffer overflow in a renderer implies Security_Severity-High and Pri-1. Any external report for a confirmed vulnerability needs reward-topanel. Sheriffbot will usually add it automatically. The stack trace provided by ClusterFuzz suggests that the bug is in the component Blink>DOM, and such bugs should be labeled as applying to all OSs except iOS (where Blink is not used): OS-{Linux, Windows, Android, Chrome, Fuchsia}. Sheriffbot will check whether 27 is the current extended stable, stable, beta or head milestone; let's assume Security_Impact-Stable is applied by Sheriffbot this time.
  3. Within a day or two, the sheriff was able to get the bug assigned and — oh joy! — fixed very quickly. When the bug's status changes to Fixed, Sheriffbot will add the Merge-Requested label, and will change Restrict-View-SecurityTeam to Restrict-View-SecurityNotify.
  4. Later that week, the Chrome Security manager does a sweep of all reward-topanel bugs. This one gets rewarded, so that one reward label is replaced with two: reward-1000 and reward-unpaid. Later, reward-unpaid becomes reward-inprocess and is later still removed when all is done. Of course, reward-1000 remains forever. (We use it to track total payout!)
  5. The next week, a Chrome TPM states that the first Chrome M27 stable patch is going on and asks if we want to include security fixes. We do, of course. Having had this particular fix “bake” in another M29 Dev channel, the Chrome Security release manager decides to merge it. Merge-Approved-M## is replaced with Merge-Merged-M##. (IMPORTANT: This transition only occurs after the fix is merged to ALL applicable branches, i.e. M28 as well as M27 in this case.) We now know that users of Chrome Stable will get the fix in the first M27 Stable patch, so the following labels are changed/applied: M-27, Release-1. Since the bug was externally reported, it definitely gets its own CVE, and a label is eventually added: CVE-2013-31337.
  6. 14 weeks after the bug is marked Fixed, Sheriffbot removes the Restrict-View-SecurityNotify label and other Restrict-View-? labels, making the bug public. There is one crucial exception: Sheriffbot will not remove Restrict-View-SecurityEmbargo.