From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.93, mailfrom: vincent.zimmer@intel.com) Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by groups.io with SMTP; Mon, 15 Apr 2019 17:03:49 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 15 Apr 2019 17:03:48 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.60,355,1549958400"; d="scan'208";a="140970730" Received: from orsmsx102.amr.corp.intel.com ([10.22.225.129]) by fmsmga008.fm.intel.com with ESMTP; 15 Apr 2019 17:03:48 -0700 Received: from orsmsx158.amr.corp.intel.com (10.22.240.20) by ORSMSX102.amr.corp.intel.com (10.22.225.129) with Microsoft SMTP Server (TLS) id 14.3.408.0; Mon, 15 Apr 2019 17:03:48 -0700 Received: from orsmsx105.amr.corp.intel.com ([169.254.2.167]) by ORSMSX158.amr.corp.intel.com ([169.254.10.159]) with mapi id 14.03.0415.000; Mon, 15 Apr 2019 17:03:47 -0700 From: "Vincent Zimmer" To: "Wang, Jian J" , "devel@edk2.groups.io" , "lersek@redhat.com" CC: "Cetola, Stephano" , "Gao, Liming" Subject: Re: [edk2-devel] [RFC] Propose update of security bug handling process Thread-Topic: [edk2-devel] [RFC] Propose update of security bug handling process Thread-Index: AdTxCJTjh1H4x3rETfezbyxAIi9GwAAYJXCAAIeqlgAAF0WNwA== Date: Tue, 16 Apr 2019 00:03:47 +0000 Message-ID: <76DE84138CBE89489874B70B432D8F9BD9FD261F@ORSMSX105.amr.corp.intel.com> References: In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-version: 11.0.600.7 dlp-reaction: no-action x-originating-ip: [10.22.254.140] MIME-Version: 1.0 Return-Path: vincent.zimmer@intel.com Content-Language: en-US Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SSBhZ3JlZSB3LyB5b3VyIGNvbW1lbnRzIEppYW4uIEdyZWF0IGlucHV0IGZyb20gTGF6bG8sIHRv by4NCg0KSSBhbHNvIHdhbnQgdG8gbGV0IHRoZSBjb21tdW5pdHkga25vdyB0aGF0IHRoaXMgc3Bl Y2lmaWMgcHJvY2VzcyBwb3N0aW5nIGhhcyAyIHBhcnRzLg0KDQpUaGlzIGZpcnN0IHdhcyB0byBw b3N0IHRoZSBwcm9jZXNzIHVzZWQgYnkgaW5mb3NlYyBieiB0ZWFtIHRvZGF5LCB3aGljaCBKaWFu IGRpZCB3ZWxsIHdpdGggaHR0cHM6Ly9naXRodWIuY29tL2p3YW5nMzYvdGlhbm9jb3JlLmdpdGh1 Yi5pby93aWtpL1Byb3Bvc2FsLW9mLXNlY3VyaXR5LWlzc3VlLXByb2Nlc3MuICBHb2FsIGlzIHRv IHByb3ZpZGUgdHJhbnNwYXJlbmN5IGludG8gYSBwcm9jZXNzIHRoYXQgd2UgYWxsIGFncmVlIGNh biB1c2Ugc29tZSAnb3B0aW1pemF0aW9uLicNCg0KVGhlICdvcHRpbWl6YXRpb24nIGlzIHRoZSBz ZWNvbmQgcGFydCBvZiB0aGUgZGlzY3Vzc2lvbiwgbmFtZWx5IHJlZmluaW5nIHRoZSBwcm9jZXNz LCBhbmQgc29tZSBvZiB0aGUgcmVzdWx0cyBvZiB0aGUgUkZDLiBUbyB0aGF0IGVuZCwgb3VyIGFi bGUgY29tbXVuaXR5IG1hbmFnZXIgU3RlcGhhbm8gd2lsbCBzZXQgdXAgbWVldGluZ3MgZm9yIGNv bnRpbnVpbmcgdG8gZXhlY3V0ZSB0aGUgc2NydWJzIGluIGFkZGl0aW9uIHRvIGFuZC9vciBhbG9u ZyB3aXRoIGFjdGlvbnMgdG8gcmVmaW5lIHRoZSBwcm9jZXNzLg0KDQpUaGFua3MsDQoNClZpbmNl bnQNCg0KLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCkZyb206IFdhbmcsIEppYW4gSiANClNl bnQ6IFN1bmRheSwgQXByaWwgMTQsIDIwMTkgMTA6MzYgUE0NClRvOiBkZXZlbEBlZGsyLmdyb3Vw cy5pbzsgbGVyc2VrQHJlZGhhdC5jb20NCkNjOiBaaW1tZXIsIFZpbmNlbnQgPHZpbmNlbnQuemlt bWVyQGludGVsLmNvbT47IENldG9sYSwgU3RlcGhhbm8gPHN0ZXBoYW5vLmNldG9sYUBpbnRlbC5j b20+OyBHYW8sIExpbWluZyA8bGltaW5nLmdhb0BpbnRlbC5jb20+DQpTdWJqZWN0OiBSRTogW2Vk azItZGV2ZWxdIFtSRkNdIFByb3Bvc2UgdXBkYXRlIG9mIHNlY3VyaXR5IGJ1ZyBoYW5kbGluZyBw cm9jZXNzDQoNCkxhc3psbywNCg0KDQo+IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQo+IEZy b206IGRldmVsQGVkazIuZ3JvdXBzLmlvIFttYWlsdG86ZGV2ZWxAZWRrMi5ncm91cHMuaW9dIE9u IEJlaGFsZiBPZiANCj4gTGFzemxvIEVyc2VrDQo+IFNlbnQ6IEZyaWRheSwgQXByaWwgMTIsIDIw MTkgODo1MiBQTQ0KPiBUbzogV2FuZywgSmlhbiBKIDxqaWFuLmoud2FuZ0BpbnRlbC5jb20+DQo+ IENjOiBkZXZlbEBlZGsyLmdyb3Vwcy5pbzsgWmltbWVyLCBWaW5jZW50IDx2aW5jZW50LnppbW1l ckBpbnRlbC5jb20+OyANCj4gQ2V0b2xhLCBTdGVwaGFubyA8c3RlcGhhbm8uY2V0b2xhQGludGVs LmNvbT47IEdhbywgTGltaW5nIA0KPiA8bGltaW5nLmdhb0BpbnRlbC5jb20+DQo+IFN1YmplY3Q6 IFJlOiBbZWRrMi1kZXZlbF0gW1JGQ10gUHJvcG9zZSB1cGRhdGUgb2Ygc2VjdXJpdHkgYnVnIA0K PiBoYW5kbGluZyBwcm9jZXNzDQo+IA0KPiAoRHJvcHBpbmcgYnVnc0BlZGsyLmdyb3Vwcy5pbyA8 YnVnc0BlZGsyLmdyb3Vwcy5pbz4gZnJvbSB0aGUgYWRkcmVzcyANCj4gbGlzdCwgYXMgdGhhdCBz aG91bGQgYmUgYSBsaXN0IHRvIHJlY2VpdmUgYXV0b21hdGVkIEJ1Z3ppbGxhIGVtYWlsLikNCj4g DQo+IE9uIDA0LzEyLzE5IDEwOjQzLCBXYW5nLCBKaWFuIEogd3JvdGU6DQo+ID4gSGksDQo+ID4N Cj4gPiBDdXJyZW50bHksIHdlIGdlbmVyYWxseSBmb2xsb3cgYmVsb3cgcHJvY2VzcyB0byBoYW5k bGUgc2VjdXJpdHkgYnVncy4NCj4gPiBCdXQgdGhlcmUncmUgbm8gZG9jdW1lbnQgdG8gZGVzY3Jp YmUgdGhlIGRldGFpbGVkIHdvcmtpbmcgZmxvdy4gDQo+ID4gVGhlcmUncmUgYWxzbyBkaXNjdXNz aW9ucyBvbiBsYWNraW5nIG9mIGltcG9ydGFudCBpbmZvcm1hdGlvbiwgcG9vciANCj4gPiBpc3N1 ZSBkZXNjcmlwdGlvbiBhbmQgbm8gdGltZWx5IG5vdGlmaWNhdGlvbiBvbiB1cGRhdGUsIGV0Yy4N Cj4gPg0KPiA+ICAgICAgICAiMCAtIE5ldyBTZWN1cml0eSBCdWciDQo+ID4gICAtPiAiMSAtIFRy aWFnZSINCj4gPiAgIC0+ICIyIC0gTWl0aWdhdGlvbiINCj4gPiAgIC0+ICIzIC0gRW1iYXJnbyIN Cj4gPiAgIC0+ICI0IC0gRGlzY2xvc3VyZSINCj4gPiAgIC0+ICI1IC0gRXhpdCI7DQo+ID4NCj4g PiBJIGhhdmUgYSBwcm9wb3NhbCBhdCBmb2xsb3dpbmcgcGFnZSB0byBlbGFib3JhdGUgdGhlIHBy b2Nlc3MgYW5kIHRyeSANCj4gPiB0byBhZGRyZXNzIGFsbCBwcm9ibGVtcyByZXBvcnRlZCBzbyBm YXIuIEZvbGxvd2luZyBjb250ZW50IGlzIGZvciANCj4gPiBkaXNjdXNzaW9uIG9ubHkuIE9uY2Ug dGhlIHByb2Nlc3MgaXMgZmluYWxpemVkLCBpdCB3aWxsIGJlIG1vdmVkIHRvIG9mZmljaWFsIGVk azIgd2lraSBwYWdlLg0KPiA+DQo+ID4gaHR0cHM6Ly9naXRodWIuY29tL2p3YW5nMzYvdGlhbm9j b3JlLmdpdGh1Yi5pby93aWtpL1Byb3Bvc2FsLW9mLXNlY3UNCj4gPiByaXR5LQ0KPiBpc3N1ZS1w cm9jZXNzDQo+ID4NCj4gPiBBbnkgb3BpbmlvbnMgYW5kIHN1Z2dlc3Rpb25zIGFyZSB3ZWxjb21l ZC4NCj4gDQo+IFRoYW5rcyBmb3Igd29ya2luZyBvbiB0aGlzIQ0KPiANCj4gSSd2ZSBza2ltbWVk IHRoZSBkaWFncmFtcy4gSSBoYXZlIG9uZSBzdWdnZXN0aW9uIGFuZCBvbmUgcmVxdWVzdCBmb3Ig DQo+IGNsYXJpZmljYXRpb24uDQo+IA0KPiANCj4gLSBTdWdnZXN0aW9uOiBhIENWRSBudW1iZXIg c2hvdWxkIGJlIHJlcXVlc3RlZCAoaWYgYXBwcm9wcmlhdGUpIGFzIA0KPiBzb29uIGFzIHRoZSBD VlNTIHNjb3JlIChpLmUuIHRoZSBuYXR1cmUgb2YgdGhlIHZ1bG5lcmFiaWxpdHkpIGhhcyBiZWVu IA0KPiBjYWxjdWxhdGVkLCBhbmQgaXQgaGFzIGJlZW4gZGV0ZXJtaW5lZCB3aGV0aGVyIHBsYXRm b3JtcyBpbiBwcmFjdGljZSANCj4gKGJvdGggcGh5c2ljYWwgYW5kIHZpcnR1YWwpIGFyZSBhZmZl Y3RlZC4NCj4gDQo+IFRoaXMgaXMgaW1wb3J0YW50IGJlY2F1c2UgdmVuZG9ycyBzaG91bGQgaGF2 ZSBhIGNvbW1vbiAoY3Jvc3MtdmVuZG9yKSANCj4gcmVmZXJlbmNlIGZvciB0cmFja2luZyB0aGUg aXNzdWUgZXZlbiBpbiB0aGVpciBvd24gaW50ZXJuYWwgc3lzdGVtcywgDQo+IGFuZCB0aGlzIHJl ZmVyZW5jZSBzaG91bGQgYmUgYXZhaWxhYmxlIHRvIGFsbCB2ZW5kb3JzIGludGVybmFsbHkgYXMg DQo+IHNvb24gYXMgdXBzdHJlYW0gZGV0ZXJtaW5lcyB0aGUgaXNzdWUgaGFzIHNlY3VyaXR5IGlt cGFjdC4NCj4gDQo+IEFkZGl0aW9uYWxseSwgYXMgc29vbiBhcyBtZW1iZXJzIGJlZ2luIGNvbGxh Ym9yYXRpbmcgb24gYWN0dWFsIA0KPiBwYXRjaGVzLCB0aGUgcGF0Y2hlcyBzaG91bGQgY2Fycnkg dGhlIENWRSBudW1iZXIgaW4gdGhlIHN1YmplY3QgbGluZShzKS4NCj4gDQoNCk5vIHN0cm9uZyBv cGluaW9uLiBJZiBubyBvYmplY3Rpb24sIGxldCdzIGRvIGFzIHlvdSBzdWdnZXN0ZWQuDQoNCj4g DQo+IC0gUmVxdWVzdCBmb3IgY2xhcmlmaWNhdGlvbjogdGhlIEVtYmFyZ28gZGlhZ3JhbSBzaG91 bGQgY2xhcmlmeSB0aGF0IA0KPiB2ZW5kb3JzIGFyZSAqZm9yYmlkZGVuKiBmcm9tIHNoaXBwaW5n IGZpeGVzIGluIHRoZWlyIG93biBwcm9kdWN0cywgDQo+IHJlZ2FyZGxlc3Mgb2YgZm9ybWF0LCB1 bnRpbCB0aGUgZW1iYXJnbyBpcyBsaWZ0ZWQuIFRoZSBwb2ludCBvZiBhbiANCj4gZW1iYXJnbyBp cyB0byByZWxlYXNlL3NoaXAgdGhlIGZpeGVzIGFsbCBhdCBvbmNlLCBhY3Jvc3MgYWxsIHZlbmRv cnMuDQo+IA0KPiBJdCdzIE9LIHRvIHdhaXQgZm9yIGEgd2hpbGUgYmV0d2VlbiAiMy41IEFubm91 bmNlIEVtYmFyZ28gRW5kIiwgYW5kIA0KPiAiNC4zIE9wZW4gQlogVG8gUHVibGljIiAvICI0LjQg T3BlbiBzb3VyY2UgdGhlIHBhdGNoIi4gVGhhdCdzIHRoZSANCj4gaW50ZXJ2YWwgd2hlbiB2ZW5k b3JzIHdvdWxkIHJlbGVhc2UgdGhlaXIgZml4ZXMgYWxsIHRvZ2V0aGVyLg0KPiANCj4gSXQncyAq bm90KiBPSywgZm9yIGFueSB2ZW5kb3IsIHRvIHNoaXAgdGhlaXIgb3duIGZpeGVzIGJlZm9yZSAi My41IA0KPiBBbm5vdW5jZSBFbWJhcmdvIEVuZCIuDQo+IA0KPiBZZXMsIHRoaXMgbWVhbnMgdGhh dCBzb21lIHZlbmRvcnMgd2lsbCBoYXZlIHRvIHdhaXQgb24gb3RoZXIgdmVuZG9ycywgDQo+IGFu ZCBzb21lIHZlbmRvcnMgd2lsbCBoYXZlIHRvIHdvcmsgbW9yZSBoYXN0aWx5IHRoYW4gdGhleSBh cmUgdXNlZCB0bywgDQo+IGZvciB0aGUgc2FrZSBvZiBvdGhlciB2ZW5kb3JzLiBUaGlzIGlzIHdo YXQgY29vcmRpbmF0ZWQvcmVzcG9uc2libGUgDQo+IGRpc2Nsb3N1cmUgbWVhbnMsIGFuZCBpdCBh aW1zIHRvIGJlbmVmaXQgdGhlIGN1bXVsYXRpdmUgdXNlciBiYXNlLg0KDQpJIHRoaW5rIGl0J3Mg aW1wcmFjdGljYWwgdG8gYXNrIGFsbCB2ZW5kb3JzIHRvIHJlbGVhc2UgdGhlIGZpeGVzIGF0IHRo ZSBzYW1lIHRpbWUuIFRoZSBsb25nZXIgYSBzZWN1cml0eSBpc3N1ZSBleGlzdHMgaW4gYSBwcm9k dWN0LCB0aGUgbW9yZSBkYW1hZ2UgbWF5IGJlIGNhdXNlZCBwb3RlbnRpYWxseS4gSSBkb24ndCB0 aGluayBhbnkgdmVuZG9yIHdhbnQgdG8gcmlzayB0aGF0LiBCdXQgaXQncyByZWFzb25hYmxlIGFu ZCBmZWFzaWJsZSB0byBhc2sgdmVuZG9ycyBub3QgdG8gZXhwb3NlIHRoZSBpc3N1ZSBkZXRhaWxz IGluIHRoZSBlbWJhcmdvIHBlcmlvZC4NCg0KU28gbXkgdW5kZXJzdGFuZGluZyBpcyB0aGF0IGVt YmFyZ28gaXMgZm9yIHByZXBhcmluZyB0aGUgc2VjdXJpdHkgaXNzdWUgaW5mb3JtYXRpb24gZGlz Y2xvc3VyZSBwdXJwb3NlLCBkdXJpbmcgd2hpY2ggYWxsIHZlbmRvcnMgc2hvdWxkIGludGVncmF0 ZSB0aGUgbWl0aWdhdGlvbiBzb2x1dGlvbiBpbnRvIHRoZWlyIHByb2R1Y3RzLiBBY3R1YWxseSwg b25jZSBzb21lb25lIGVsc2UgZmluZCB0aGUgc2FtZSBpc3N1ZSBhbmQgb3BlbiBpdCB0byBwdWJs aWMgaW4gdGhlIHBlcmlvZCwgd2Ugc2hvdWxkIGVuZCB0aGUgZW1iYXJnbyBpbW1lZGlhdGVseS4g VGhpcyBzdGVwIGlzIG1pc3NpbmcgaW4gdGhlIHdvcmsgZmxvdyBjaGFydC4NCg0KVmluY2VudCwg cGxlYXNlIGNvcnJlY3QgbWUgaWYgYW55dGhpbmcgd3JvbmcgaGVyZS4NCg0KUmVnYXJkcywNCkpp YW4NCj4gDQo+IFRoYW5rcw0KPiBMYXN6bG8NCj4gDQo+IA0KDQo=