public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* [PATCH v1 0/1] Define security policy in SECURITY.md file for repository
@ 2023-03-09 19:43 Kun Qin
  2023-03-09 19:43 ` [PATCH v1 1/1] " Kun Qin
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Kun Qin @ 2023-03-09 19:43 UTC (permalink / raw)
  To: devel
  Cc: Andrew Fish, Leif Lindholm, Michael D Kinney, Miki Demeter,
	Sean Brogan

This change added a markdown file as a policy guideline for Tianocore EDK2
community to handle security sensitive reports.

Patch v1 branch: https://github.com/kuqin12/edk2/tree/patch-1

Cc: Andrew Fish <afish@apple.com>
Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Miki Demeter <miki.demeter@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>

Sean Brogan (1):
  Define security policy in SECURITY.md file for repository

 SECURITY.md | 33 ++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 SECURITY.md

-- 
2.37.1.windows.1


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH v1 1/1] Define security policy in SECURITY.md file for repository
  2023-03-09 19:43 [PATCH v1 0/1] Define security policy in SECURITY.md file for repository Kun Qin
@ 2023-03-09 19:43 ` Kun Qin
  2023-03-28 12:15   ` [edk2-devel] " Rebecca Cran
  2023-03-28  0:26 ` [PATCH v1 0/1] " Demeter, Miki
  2023-04-05 18:07 ` Leif Lindholm
  2 siblings, 1 reply; 6+ messages in thread
From: Kun Qin @ 2023-03-09 19:43 UTC (permalink / raw)
  To: devel; +Cc: Sean Brogan

From: Sean Brogan <sean.brogan@microsoft.com>

Create SECURITY.md security policy for tianocore edk2 leveraging CVD and
the Github Private Vulnerability Reporting process.

Co-authored-by: Sean Brogan <sean.brogan@microsoft.com>
Signed-off-by: Kun Qin <kun.qin@microsoft.com>
---
 SECURITY.md | 33 ++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000000..bef046e91aa1
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,33 @@
+# Security Policy
+
+Tianocore Edk2 is an open source firmware project that is leveraged by and combined into other projects to build the firmware for a given product.
+We build and maintain edk2 knowing that there are many downstream repositories and projects that derive or inherit significant code from this project.
+But, that said, in the firmware ecosystem there is a lot of variation and differentiation, and the license in this project allows
+flexibility for use without contribution back to Edk2. Therefore, any issues found here may or may not exist in products derived from Edk2.
+
+## Supported Versions
+
+Due to the usage model we generally only supply fixes to the master branch. If requested we may generate a release branch from a stable
+tag and apply patches but given our downstream consumption model this is generally not necessary.
+
+## Reporting a Vulnerability
+
+Please do not report security vulnerabilities through public GitHub issues or bugzilla.
+
+Instead please use Github Private vulnerability reporting, which is enabled for the edk2 repository.
+This process is well documented by github in their documentation
+[here](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability).
+
+This process will allow us to privately discuss the issue, collaborate on a solution, and then disclose the vulnerability.
+
+## Preferred Languages
+
+We prefer all communications to be in English.
+
+## Policy
+
+Tianocore Edk2 follows the principle of Coordinated Vulnerability Disclosure.
+More information is available here:
+
+* [ISO/IEC 29147:2018 on Vulnerability Disclosure](https://www.iso.org/standard/72311.html)
+* [The CERT Guide to Coordinated Vulnerability Disclosure](https://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_503340.pdf)
-- 
2.37.1.windows.1


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH v1 0/1] Define security policy in SECURITY.md file for repository
  2023-03-09 19:43 [PATCH v1 0/1] Define security policy in SECURITY.md file for repository Kun Qin
  2023-03-09 19:43 ` [PATCH v1 1/1] " Kun Qin
@ 2023-03-28  0:26 ` Demeter, Miki
  2023-03-28 16:50   ` [edk2-devel] " Kevin@Insyde
  2023-04-05 18:07 ` Leif Lindholm
  2 siblings, 1 reply; 6+ messages in thread
From: Demeter, Miki @ 2023-03-28  0:26 UTC (permalink / raw)
  To: Kun Qin, devel@edk2.groups.io
  Cc: Andrew Fish, Leif Lindholm, Kinney, Michael D, Sean Brogan

[-- Attachment #1: Type: text/plain, Size: 1452 bytes --]

Ack

Need to get this acked by others in infosec too


--
Miki Demeter (she/her/Miki)
Security Researcher / FW Developer
FST
Intel Corporation

Co-Chair, Network of Intel African-Ancestry(NIA) - Oregon
NIA-Oregon<https://intel.sharepoint.com/sites/NIA>

Portland Women in Tech Best Speaker
miki.demeter@intel.com<mailto:miki.demeter@intel.com>
503.712.8030 (office)
971.248.0123 (cell)


From: Kun Qin <kuqin12@gmail.com>
Date: Thursday, March 9, 2023 at 1:44 PM
To: devel@edk2.groups.io <devel@edk2.groups.io>
Cc: Andrew Fish <afish@apple.com>, Leif Lindholm <quic_llindhol@quicinc.com>, Kinney, Michael D <michael.d.kinney@intel.com>, Demeter, Miki <miki.demeter@intel.com>, Sean Brogan <sean.brogan@microsoft.com>
Subject: [PATCH v1 0/1] Define security policy in SECURITY.md file for repository
This change added a markdown file as a policy guideline for Tianocore EDK2
community to handle security sensitive reports.

Patch v1 branch: https://github.com/kuqin12/edk2/tree/patch-1

Cc: Andrew Fish <afish@apple.com>
Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Miki Demeter <miki.demeter@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>

Sean Brogan (1):
  Define security policy in SECURITY.md file for repository

 SECURITY.md | 33 ++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 SECURITY.md

--
2.37.1.windows.1

[-- Attachment #2: Type: text/html, Size: 6398 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [edk2-devel] [PATCH v1 1/1] Define security policy in SECURITY.md file for repository
  2023-03-09 19:43 ` [PATCH v1 1/1] " Kun Qin
@ 2023-03-28 12:15   ` Rebecca Cran
  0 siblings, 0 replies; 6+ messages in thread
From: Rebecca Cran @ 2023-03-28 12:15 UTC (permalink / raw)
  To: devel, kuqin12; +Cc: Sean Brogan

Reviewed-by: Rebecca Cran <rebecca@bsdio.com>


On 3/9/23 12:43 PM, Kun Qin wrote:
> From: Sean Brogan <sean.brogan@microsoft.com>
>
> Create SECURITY.md security policy for tianocore edk2 leveraging CVD and
> the Github Private Vulnerability Reporting process.
>
> Co-authored-by: Sean Brogan <sean.brogan@microsoft.com>
> Signed-off-by: Kun Qin <kun.qin@microsoft.com>
> ---
>   SECURITY.md | 33 ++++++++++++++++++++
>   1 file changed, 33 insertions(+)
>
> diff --git a/SECURITY.md b/SECURITY.md
> new file mode 100644
> index 000000000000..bef046e91aa1
> --- /dev/null
> +++ b/SECURITY.md
> @@ -0,0 +1,33 @@
> +# Security Policy
> +
> +Tianocore Edk2 is an open source firmware project that is leveraged by and combined into other projects to build the firmware for a given product.
> +We build and maintain edk2 knowing that there are many downstream repositories and projects that derive or inherit significant code from this project.
> +But, that said, in the firmware ecosystem there is a lot of variation and differentiation, and the license in this project allows
> +flexibility for use without contribution back to Edk2. Therefore, any issues found here may or may not exist in products derived from Edk2.
> +
> +## Supported Versions
> +
> +Due to the usage model we generally only supply fixes to the master branch. If requested we may generate a release branch from a stable
> +tag and apply patches but given our downstream consumption model this is generally not necessary.
> +
> +## Reporting a Vulnerability
> +
> +Please do not report security vulnerabilities through public GitHub issues or bugzilla.
> +
> +Instead please use Github Private vulnerability reporting, which is enabled for the edk2 repository.
> +This process is well documented by github in their documentation
> +[here](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability).
> +
> +This process will allow us to privately discuss the issue, collaborate on a solution, and then disclose the vulnerability.
> +
> +## Preferred Languages
> +
> +We prefer all communications to be in English.
> +
> +## Policy
> +
> +Tianocore Edk2 follows the principle of Coordinated Vulnerability Disclosure.
> +More information is available here:
> +
> +* [ISO/IEC 29147:2018 on Vulnerability Disclosure](https://www.iso.org/standard/72311.html)
> +* [The CERT Guide to Coordinated Vulnerability Disclosure](https://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_503340.pdf)

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [edk2-devel] [PATCH v1 0/1] Define security policy in SECURITY.md file for repository
  2023-03-28  0:26 ` [PATCH v1 0/1] " Demeter, Miki
@ 2023-03-28 16:50   ` Kevin@Insyde
  0 siblings, 0 replies; 6+ messages in thread
From: Kevin@Insyde @ 2023-03-28 16:50 UTC (permalink / raw)
  To: devel@edk2.groups.io, miki.demeter@intel.com
  Cc: Kun Qin, Andrew Fish, Leif Lindholm, Kinney, Michael D,
	Sean Brogan


[-- Attachment #1.1: Type: text/html, Size: 6799 bytes --]

[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 2199 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v1 0/1] Define security policy in SECURITY.md file for repository
  2023-03-09 19:43 [PATCH v1 0/1] Define security policy in SECURITY.md file for repository Kun Qin
  2023-03-09 19:43 ` [PATCH v1 1/1] " Kun Qin
  2023-03-28  0:26 ` [PATCH v1 0/1] " Demeter, Miki
@ 2023-04-05 18:07 ` Leif Lindholm
  2 siblings, 0 replies; 6+ messages in thread
From: Leif Lindholm @ 2023-04-05 18:07 UTC (permalink / raw)
  To: Kun Qin, devel; +Cc: Andrew Fish, Michael D Kinney, Miki Demeter, Sean Brogan

On 2023-03-09 19:43, Kun Qin wrote:
> This change added a markdown file as a policy guideline for Tianocore EDK2
> community to handle security sensitive reports.
> 
> Patch v1 branch: https://github.com/kuqin12/edk2/tree/patch-1
> 
> Cc: Andrew Fish <afish@apple.com>
> Cc: Leif Lindholm <quic_llindhol@quicinc.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Miki Demeter <miki.demeter@intel.com>
> Cc: Sean Brogan <sean.brogan@microsoft.com>
> 
> Sean Brogan (1):
>    Define security policy in SECURITY.md file for repository
> 
>   SECURITY.md | 33 ++++++++++++++++++++
>   1 file changed, 33 insertions(+)
>   create mode 100644 SECURITY.md

Nitpick: edk2 is alternaltingly capitalised or not in the readme.
But

Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2023-04-05 18:07 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-03-09 19:43 [PATCH v1 0/1] Define security policy in SECURITY.md file for repository Kun Qin
2023-03-09 19:43 ` [PATCH v1 1/1] " Kun Qin
2023-03-28 12:15   ` [edk2-devel] " Rebecca Cran
2023-03-28  0:26 ` [PATCH v1 0/1] " Demeter, Miki
2023-03-28 16:50   ` [edk2-devel] " Kevin@Insyde
2023-04-05 18:07 ` Leif Lindholm

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox