[docs] Security sheriff: clarify bugs reproduction and Skia fuzzing.

1) Clarify that it's not always necessary to reproduce a bug yourself. 2) Move the paragraph about components with their own triage processes to the beginning of the triage instruction. 3) Slightly change wording in V8 and Skia guidance. Mention Skia fuzzing bugs explicitly. Change-Id: Ide0bc021675d4f9ea648af3c777470b4cce9975e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2048106 Commit-Queue: Max Moroz <mmoroz@chromium.org> Reviewed-by: Abhishek Arya <inferno@chromium.org> Cr-Commit-Position: refs/heads/master@{#740366}

[docs] Security sheriff: clarify bugs reproduction and Skia fuzzing.
1) Clarify that it's not always necessary to reproduce a bug yourself. 2) Move the paragraph about components with their own triage processes to the beginning of the triage instruction. 3) Slightly change wording in V8 and Skia guidance. Mention Skia fuzzing bugs explicitly. Change-Id: Ide0bc021675d4f9ea648af3c777470b4cce9975e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2048106 Commit-Queue: Max Moroz <mmoroz@chromium.org> Reviewed-by: Abhishek Arya <inferno@chromium.org> Cr-Commit-Position: refs/heads/master@{#740366}
b3807f9f · Max Moroz · Commit Bot · 6dd0c4bc · b3807f9f
Commit b3807f9f authored Feb 11, 2020 by Max Moroz Committed by Commit Bot Feb 11, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 31 additions and 22 deletions

docs/security/sheriff.md docs/security/sheriff.md +31 -22

No files found.
--- a/docs/security/sheriff.md
+++ b/docs/security/sheriff.md
@@ -167,8 +167,36 @@ i like that.")

 #### Step 1. Reproduce legitimate-sounding issues.

-If you can't reproduce the issue, ask for help on IRC (#chrome-security) or the
-Chrome Security chat, or find an area owner to help.
+Ideally, sheriffs should reproduce each bug before triaging, but being efficient
+is also important. It's fine to delegate reproducing bugs in the following
+cases:
+* A bug comes from an automated infrastructure (such as ClusterFuzz or Vomit).
+* A bug comes from a reporter with a solid track record of vulnerabilities (e.g.
+  prolific external researchers or Google Project Zero team).
+* A bug requires a particular device that you don't have available, or any other
+  environment which you don't have ready but a potential code owner would have.
+
+Mention explicitly in your comment that you didn't reproduce a bug before
+assigning it to someone else.
+
+A few components have their own triage processes or points of contact who can
+help.
+
+* V8 bugs can be assigned to the [V8 ClusterFuzz
+  Sheriff](https://rotation.googleplex.com/status?id=5714662985302016) for
+  triage. Note that V8 CHECK failure crashes can have security implications, so
+  don't triage it yourself and instead assign it to V8 ClusterFuzz Sheriff. They
+  can make an informed decision on whether it is a security vulnerability or not
+  and whether it is safe to strip the security tags (**Type=Bug-Security**,
+  **Restrict-View-SecurityTeam**).
+* Skia bugs can be assigned to hcm@chromium.org. Be careful while triaging
+  these! The place where we're crashing isn't necessarily the place where the
+  bug was introduced, so blame may be misleading. Skia fuzzing bugs can be
+  assigned to kjlubick@chromium.org, as Skia is heavily fuzzed on OSS-Fuzz and
+  some issues reported in Chromium are already known or even fixed upstream.
+* URL spoofing issues, especially related to RTL or IDNs? See
+  [go/url-spoofs](http://go/url-spoofs) for a guide to triaging these.
+

 Tips for reproducing bugs:

@@ -300,26 +328,7 @@ portions of the codebase.
  and query by when the issues were closed after (i.e. w/ in the last 30 days ==
  `closed>today-30`).

-A few components have their own triage processes or points of contact who can
-help.
-
-* V8 bugs? Look for V8 rolls within the regression range, then look within the
-  CLs of those rolls to find possible culprits. If you are unable to find the
-  culprit CL, assign to the [V8 ClusterFuzz
-  Sheriff](https://rotation.googleplex.com/status?id=5714662985302016) for
-  triage. Note that V8 CHECK failure crashes can have security implications, so
-  don't triage it yourself and instead assign it to V8 ClusterFuzz Sheriff. They
-  can make an informed decision on whether it is a security vulnerability or not
-  and whether it is safe to strip the security tags (**Type=Bug-Security**,
-  **Restrict-View-SecurityTeam**).
-* Skia bugs? If you made it this far and still aren't sure, assign them to
-  hcm@chromium.org. Be careful while triaging these! The place where we're
-  crashing isn't necessarily the place where the bug was introduced, so blame
-  may be misleading.
-* URL spoofing issues, especially related to RTL or IDNs? See
-  [go/url-spoofs](go/url-spoofs) for a guide to triaging these.
-
-Still stuck? Ask #chrome-security or someone from
+Got stuck? Ask #chrome-security or someone from
 [go/chrome-security-sheriff-mentors](https://goto.google.com/chrome-security-sheriff-mentors)
 for help! That's why we're here. Don't be afraid to do this!