All launches and major changes to Chrome undergo a security review.
Please note that filing a launch bug requires an @google.com account. For non-Google/open source contributors, find a Google PM who can help you with your launch. (If you don't know whom to ask, ask on firstname.lastname@example.org).
The Chrome Security Team used to ask engineers and PMs to provide the same information over and over again for incremental launches. We also had a hard time keeping on top of incremental changes and we weren't really using the cumulative review data to give us insight into the ongoing engineering practices across Chrome.
This process aims to address these issues and make the review process simpler and faster for everyone. If you have further questions, ping palmer@.
The full story is here: New Chrome Security Review Plan.
TL;DR: File a launch bug, and the security team will see it on their dashboard. Make sure to link to a design document in the launch bug. The security reviewer(s) will look to the design doc first, and will probably comment and ask questions in the document.
If your project is especially tricky or large, it's best to reach out to email@example.com (for public stuff; preferable) or firstname.lastname@example.org (for Google confidential stuff) well ahead of time.Great question, and thanks for asking it! Security reviews serve three main purposes:
Unfortunately, security reviews don’t mean that you can stop caring about security. Your team is still accountable and responsible for ensuring that your code is free of security bugs. Security reviews won’t catch all bugs, but they certainly do help to make sure your security practices are sound.
Yes, but with one important difference: for Chrome OS, kerrnel@ is the main point of contact. To file a Chrome OS feature survey, please follow the steps at go/cros-security-review.
The best address for us is email@example.com, or if you’re a Googler you can reach us at firstname.lastname@example.org for Chrome stuff, email@example.com for Chrome OS stuff.