Describe reward_to- label in Sheriffing documents.

Previously, a couple of bugs went uncredited and didn't attract CVEs because this label wasn't added. This may help a little. Change-Id: I7208168a8cd8bae523bdfe00118ae70d3c901836 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2387416Reviewed-by: Max Moroz <mmoroz@chromium.org> Commit-Queue: Adrian Taylor <adetaylor@chromium.org> Cr-Commit-Position: refs/heads/master@{#803646}

Describe reward_to- label in Sheriffing documents.
Previously, a couple of bugs went uncredited and didn't attract CVEs because this label wasn't added. This may help a little. Change-Id: I7208168a8cd8bae523bdfe00118ae70d3c901836 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2387416Reviewed-by: Max Moroz <mmoroz@chromium.org> Commit-Queue: Adrian Taylor <adetaylor@chromium.org> Cr-Commit-Position: refs/heads/master@{#803646}
0b6caf7c · Adrian Taylor · Commit Bot · 724e08fe · 0b6caf7c · 0b6caf7c
Commit 0b6caf7c authored Sep 01, 2020 by Adrian Taylor Committed by Commit Bot Sep 01, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 4 deletions

docs/security/security-labels.md docs/security/security-labels.md +9 -4

docs/security/sheriff.md docs/security/sheriff.md +2 -0

No files found.
--- a/docs/security/security-labels.md
+++ b/docs/security/security-labels.md
@@ -88,10 +88,15 @@ guidelines are as follows:
 * **reward-**{**topanel**, **unpaid**, **na**, **inprocess**, _#_}: Labels used
 in tracking bugs nominated for our [Vulnerability Reward
 Program](https://www.chromium.org/Home/chromium-security/vulnerability-rewards-program).
-If a bug is filed by a Google or Chromium user on behalf of an external party,
-but is not within scope for a vulnerability reward, nevertheless use **reward-na**
-to ensure that the report is still properly credited to the external reporter
-in the release notes.
+* **reward_to-**. If a bug is filed by a Google or Chromium user on behalf of
+an external party, use **reward_to** to ensure the report is still properly credited
+to the external reporter in the release notes. Normally, the latter half of this
+label would be an e-mail address with '@' replaced with '_at_'. But if the
+reporter was a whole organization or some other entity without a specific e-mail
+address, then **reward_to-external** is sufficient to ensure it is credited.
+Despite its name, you should add this label whether or not the reporter is
+in scope for the vulnerability rewards program, because external reports are
+credited in the release notes irrespective.
 * **M-#**: Target milestone for the fix.
 * Component: For bugs filed as **Type-Bug-Security**, we also want to track
 which component(s) the bug is in.

--- a/docs/security/sheriff.md
+++ b/docs/security/sheriff.md
@@ -283,6 +283,8 @@ was filed using the Security template):
  comments contain PII**, add **Restrict-View-SecurityEmbargo**.
 * **Security_Severity** - your responsibility as Sheriff.
 * **Security_Impact** - your responsibility as Sheriff.
+* **reward_to** - if the bug was filed internally on behalf of somebody
+  external. This is also very important; please check.

 You can expect Sheriffbot to fill in lots of other labels; for example,
 the `M-` label to indicate the target milestone. It's best to allow