Hello everyone,
Submitted for the community to evaluate and provide any feedback. We are looking to move to GitHub Security Reporting and Security advisories. This makes some minor changes to the Security reporting process
and a big shift for the Security advisories. Please take a moment to provide any feedback. We will be selectively using the procedure below for some trial runs and will report and changes or omissions that may be found in the proposed process.
Process for GHSA – provided by Miki Demeter
# Security Policy - Provided by Sean Brogan
Tianocore Edk2 is an open source firmware project that is leveraged by and combined into other projects to build the firmware for a given product. We build and maintain edk2 knowing that there are many downstream repositories and projects
that derive or inherit significant code from this project. But, that said, in the firmware ecosystem there is a lot of variation and differentiation, and the license in this project allows flexibility for use without contribution back to Edk2. Therefore, any
issues found here may or may not exist in products derived from Edk2.
## Supported Versions
Due to the usage model we generally only supply fixes to the master branch. If requested, we may generate a release branch from a stable tag (up to one release back) and apply patches but given our downstream consumption model this is generally
not necessary.
## Reporting a Vulnerability
Please do not report security vulnerabilities through public GitHub issues or bugzilla.
Instead please use Github Private vulnerability reporting, which is enabled for the edk2 repository.
This process is well documented by github in their documentation[here].
This process will allow us to privately discuss the issue, collaborate on a solution, and then disclose the vulnerability.
## Preferred Languages
We prefer all communications to be in English.
## Policy
Tianocore Edk2 follows the principle of Coordinated Vulnerability Disclosure.
More information is available here:
* [ISO/IEC 29147:2018 on Vulnerability Disclosure]
* [The CERT Guide to Coordinated Vulnerability Disclosure
--
Miki Demeter (she/her/Miki)
Security Researcher / FW Developer
FST
Intel Corporation
Co-Chair, Network of Intel African-Ancestry(NIA) - Oregon
Portland Women in Tech Best Speaker
503.712.8030 (office)
971.248.0123 (cell)