Hello everyone,

Submitted for the community to evaluate and provide any feedback. We are 
looking to move to GitHub Security Reporting and Security advisories. This 
makes some minor changes to the Security reporting process and a big shift for 
the Security advisories. Please take a moment to provide any feedback. We will 
be selectively using the procedure below for some trial runs and will report 
and changes or omissions that may be found in the proposed process.

Process for GHSA – provided by Miki Demeter

  *   Private Vulnerability Reporting – Reporter makes a probable security issue
     *   If security issue only GHSR – Security Policy to describe the 
procedure to report security issue (Sean B)
  *   Validate that it is a security issue - Infosec Team will determine if 
this is a security issue. This may require the enlistment of subject matter 
experts – If not deemed security issue ask reporter to submit Bugzilla.
     *   If the issue is a security issue
        *   GHSA Created - Infosec Team creates the GHSA
        *   Add infosec team – Infosec add the team members, Maintainers, 
reviewers and submitter (need Infosec team group)
        *   CVSS Scoring - Infosec Team with assistance from submitter set the 
CVSS Score
        *   Assign CWEs - Infosec Team assigns appropriate CWEs
        *   Allocate CVE # - Infosec Team allocates CVE# to reference issue
        *   Add private fork - Infosec Team creates private fork for patch work 
to be completed
     *   Embargo period established - Infosec Team establishes the embargo time 
     *   Proposed Patch created or exists – OwnerAll discussion at the GHSA 
patch level not file patch level)
        *   Maintainers, Reviewers and Infosec Team – All parties evaluate patch
        *   Validate Fix complete  - Infosec Team
        *   Level of Testing required to consider complete - infosec Team 
defines the level of testing necessary to validate.
     *   Embargo Period Ends
     *   GHSA PR Created - Publicly Visible at this point
        *   Merged within 1 day
     *   CVE Details Updated – Infosec team updates CVE Detail information and 
submits to Mitre and make public

# Security Policy - Provided by Sean Brogan

Tianocore Edk2 is an open source firmware project that is leveraged by and 
combined into other projects to build the firmware for a given product. We 
build and maintain edk2 knowing that there are many downstream repositories and 
projects that derive or inherit significant code from this project. But, that 
said, in the firmware ecosystem there is a lot of variation and 
differentiation, and the license in this project allows flexibility for use 
without contribution back to Edk2. Therefore, any issues found here may or may 
not exist in products derived from Edk2.

## Supported Versions

Due to the usage model we generally only supply fixes to the master branch. If 
requested, we may generate a release branch from a stable tag (up to one 
release back) and apply patches but given our downstream consumption model this 
is generally not necessary.

## Reporting a Vulnerability

Please do not report security vulnerabilities through public GitHub issues or 

Instead please use Github Private vulnerability reporting, which is enabled for 
the edk2 repository.

This process is well documented by github in their 

This process will allow us to privately discuss the issue, collaborate on a 
solution, and then disclose the vulnerability.

## Preferred Languages

We prefer all communications to be in English.

## Policy

Tianocore Edk2 follows the principle of Coordinated Vulnerability Disclosure.
More information is available here:

* [ISO/IEC 29147:2018 on Vulnerability 
* [The CERT Guide to Coordinated Vulnerability 

Miki Demeter (she/her/Miki)
Security Researcher / FW Developer
Intel Corporation

Co-Chair, Network of Intel African-Ancestry(NIA) - Oregon

Portland Women in Tech Best Speaker
503.712.8030 (office)
971.248.0123 (cell)

Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#100608): https://edk2.groups.io/g/devel/message/100608
Mute This Topic: https://groups.io/mt/97323839/21656
Group Owner: devel+ow...@edk2.groups.io

Reply via email to