From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: intel.com, ip: 134.134.136.100, mailfrom: jian.j.wang@intel.com)
Received: from mga07.intel.com (mga07.intel.com [134.134.136.100])
 by groups.io with SMTP; Fri, 12 Apr 2019 01:43:14 -0700
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga001.fm.intel.com ([10.253.24.23])
  by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Apr 2019 01:43:13 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.60,340,1549958400"; 
   d="scan'208";a="163743723"
Received: from fmsmsx108.amr.corp.intel.com ([10.18.124.206])
  by fmsmga001.fm.intel.com with ESMTP; 12 Apr 2019 01:43:12 -0700
Received: from shsmsx108.ccr.corp.intel.com (10.239.4.97) by
 FMSMSX108.amr.corp.intel.com (10.18.124.206) with Microsoft SMTP Server (TLS)
 id 14.3.408.0; Fri, 12 Apr 2019 01:43:12 -0700
Received: from shsmsx107.ccr.corp.intel.com ([169.254.9.153]) by
 SHSMSX108.ccr.corp.intel.com ([169.254.8.147]) with mapi id 14.03.0415.000;
 Fri, 12 Apr 2019 16:43:10 +0800
From: "Wang, Jian J" <jian.j.wang@intel.com>
To: "bugs@edk2.groups.io" <bugs@edk2.groups.io>
CC: "devel@edk2.groups.io" <devel@edk2.groups.io>, Laszlo Ersek
	<lersek@redhat.com>, "Zimmer, Vincent" <vincent.zimmer@intel.com>, "Cetola,
 Stephano" <stephano.cetola@intel.com>, "Gao, Liming" <liming.gao@intel.com>
Subject: [RFC] Propose update of security bug handling process
Thread-Topic: [RFC] Propose update of security bug handling process
Thread-Index: AdTxCJTjh1H4x3rETfezbyxAIi9GwA==
Date: Fri, 12 Apr 2019 08:43:10 +0000
Message-ID: <D827630B58408649ACB04F44C5100036258E05B7@SHSMSX107.ccr.corp.intel.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiYjZmM2RiZGItMGM1Ni00YzgxLThjY2MtNTQxOWM5YTUzYzYxIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiUzFEWGVYb2o5MFUrZGpVOU1CUkxVakwwYjdUXC9HZkplcUVtdjlJR1JLcGNoVlRNY21OK2hrRkpTRjF4TTROZ1MifQ==
x-ctpclassification: CTP_NT
dlp-product: dlpe-windows
dlp-version: 11.0.600.7
dlp-reaction: no-action
x-originating-ip: [10.239.127.40]
MIME-Version: 1.0
Return-Path: jian.j.wang@intel.com
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hi,

Currently, we generally follow below process to handle security bugs.
But there're no document to describe the detailed working flow. There're
also discussions on lacking of important information, poor issue descriptio=
n
and no timely notification on update, etc.

       "0 - New Security Bug"
  -> "1 - Triage"
  -> "2 - Mitigation"
  -> "3 - Embargo"
  -> "4 - Disclosure"
  -> "5 - Exit";

I have a proposal at following page to elaborate the process and try to add=
ress
all problems reported so far. Following content is for discussion only. Onc=
e the
process is finalized, it will be moved to official edk2 wiki page.

https://github.com/jwang36/tianocore.github.io/wiki/Proposal-of-security-is=
sue-process

Any opinions and suggestions are welcomed.

Regards,
Wang, Jian J