From: "Demeter, Miki" <miki.demeter@intel.com>
To: "rfc@edk2.groups.io" <rfc@edk2.groups.io>,
"devel@edk2.groups.io" <devel@edk2.groups.io>
Subject: RFC Proposed Security Process Changes
Date: Wed, 1 Mar 2023 19:57:49 +0000 [thread overview]
Message-ID: <DS0PR11MB64458C74F96F5FE6CB00D4078DAD9@DS0PR11MB6445.namprd11.prod.outlook.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 4517 bytes --]
Hello everyone,
Submitted for the community to evaluate and provide any feedback. We are looking to move to GitHub Security Reporting and Security advisories. This makes some minor changes to the Security reporting process and a big shift for the Security advisories. Please take a moment to provide any feedback. We will be selectively using the procedure below for some trial runs and will report and changes or omissions that may be found in the proposed process.
Process for GHSA – provided by Miki Demeter
* Private Vulnerability Reporting – Reporter makes a probable security issue
* If security issue only GHSR – Security Policy to describe the procedure to report security issue (Sean B)
* Validate that it is a security issue - Infosec Team will determine if this is a security issue. This may require the enlistment of subject matter experts – If not deemed security issue ask reporter to submit Bugzilla.
* If the issue is a security issue
* GHSA Created - Infosec Team creates the GHSA
* Add infosec team – Infosec add the team members, Maintainers, reviewers and submitter (need Infosec team group)
* CVSS Scoring - Infosec Team with assistance from submitter set the CVSS Score
* Assign CWEs - Infosec Team assigns appropriate CWEs
* Allocate CVE # - Infosec Team allocates CVE# to reference issue
* Add private fork - Infosec Team creates private fork for patch work to be completed
* Embargo period established - Infosec Team establishes the embargo time period
* Proposed Patch created or exists – OwnerAll discussion at the GHSA patch level not file patch level)
* Maintainers, Reviewers and Infosec Team – All parties evaluate patch
* Validate Fix complete - Infosec Team
* Level of Testing required to consider complete - infosec Team defines the level of testing necessary to validate.
* Embargo Period Ends
* GHSA PR Created - Publicly Visible at this point
* Merged within 1 day
* CVE Details Updated – Infosec team updates CVE Detail information and submits to Mitre and make public
# Security Policy - Provided by Sean Brogan
Tianocore Edk2 is an open source firmware project that is leveraged by and combined into other projects to build the firmware for a given product. We build and maintain edk2 knowing that there are many downstream repositories and projects that derive or inherit significant code from this project. But, that said, in the firmware ecosystem there is a lot of variation and differentiation, and the license in this project allows flexibility for use without contribution back to Edk2. Therefore, any issues found here may or may not exist in products derived from Edk2.
## Supported Versions
Due to the usage model we generally only supply fixes to the master branch. If requested, we may generate a release branch from a stable tag (up to one release back) and apply patches but given our downstream consumption model this is generally not necessary.
## Reporting a Vulnerability
Please do not report security vulnerabilities through public GitHub issues or bugzilla.
Instead please use Github Private vulnerability reporting, which is enabled for the edk2 repository.
This process is well documented by github in their documentation[here<https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability>].
This process will allow us to privately discuss the issue, collaborate on a solution, and then disclose the vulnerability.
## Preferred Languages
We prefer all communications to be in English.
## Policy
Tianocore Edk2 follows the principle of Coordinated Vulnerability Disclosure.
More information is available here:
* [ISO/IEC 29147:2018 on Vulnerability Disclosure<https://www.iso.org/standard/72311.html>]
* [The CERT Guide to Coordinated Vulnerability Disclosure<https://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_503340.pdf>
--
Miki Demeter (she/her/Miki)
Security Researcher / FW Developer
FST
Intel Corporation
Co-Chair, Network of Intel African-Ancestry(NIA) - Oregon
NIA-Oregon<https://intel.sharepoint.com/sites/NIA>
Portland Women in Tech Best Speaker
miki.demeter@intel.com<mailto:miki.demeter@intel.com>
503.712.8030 (office)
971.248.0123 (cell)
[-- Attachment #2: Type: text/html, Size: 13642 bytes --]
reply other threads:[~2023-03-01 19:57 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DS0PR11MB64458C74F96F5FE6CB00D4078DAD9@DS0PR11MB6445.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox