From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by mx.groups.io with SMTP id smtpd.web11.33568.1677700674143124767 for ; Wed, 01 Mar 2023 11:57:54 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=J12Lvnd/; spf=pass (domain: intel.com, ip: 192.55.52.43, mailfrom: miki.demeter@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1677700674; x=1709236674; h=from:to:subject:date:message-id:mime-version; bh=7zvkYMAd0OKiX/7YEK5OJJ6OXGyfYw9I31VY4zBAVJ0=; b=J12Lvnd/icYxjDRAn8GbEW1LN3fX6GLqEr3bHvl7iyW3R3xjZWSYjoUq zxIGha66UiVD8lIiFTC8iYksPbKm8Heu/kG+B9Fdh6N0oSm1Ymlr+/jqN So91S7zSB7MmIEWklutUu+bsYhgqEZ8AaWMYUzoPPylrCmtshUk5nva2s 1X/r4TiPKFvJmJfZQF0ySCvaV1RwY5avczlcbfyulcqvWXtVSfJhNPgl1 rs5P+L4eCRDs2kIlehEkwHn+GqWJCoiQ1grTTJgT8eelD9wLl2SkfNQgQ 1A1D5JNSVSJBDrbfCjLh4uDt4jU4swdiJy7vt20WnetQ8qTGjHnnAfmMF w==; X-IronPort-AV: E=McAfee;i="6500,9779,10636"; a="420768879" X-IronPort-AV: E=Sophos;i="5.98,225,1673942400"; d="scan'208,217";a="420768879" Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Mar 2023 11:57:53 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10636"; a="848785879" X-IronPort-AV: E=Sophos;i="5.98,225,1673942400"; d="scan'208,217";a="848785879" Received: from orsmsx603.amr.corp.intel.com ([10.22.229.16]) by orsmga005.jf.intel.com with ESMTP; 01 Mar 2023 11:57:53 -0800 Received: from orsmsx612.amr.corp.intel.com (10.22.229.25) by ORSMSX603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.21; Wed, 1 Mar 2023 11:57:52 -0800 Received: from ORSEDG602.ED.cps.intel.com (10.7.248.7) by orsmsx612.amr.corp.intel.com (10.22.229.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.21 via Frontend Transport; Wed, 1 Mar 2023 11:57:52 -0800 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (104.47.70.105) by edgegateway.intel.com (134.134.137.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.16; Wed, 1 Mar 2023 11:57:51 -0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WV6nfXD12w53jKuXpabXItresuBXvIbFSD4MagwNSTGegGQ7OwnndGJNq1mtYwQY+X1OUcrSXlfZIlO5BILLN47pXI9yNQVkjlgKmryV4WbbUWW9c3t8N12BfPWfIty1YrYhv0Z746HkVMF1R8cPVPNWZth7RBmTfIkr+5jSJ+hsjSB3H1i1AMsqkuEceUwFC5us9NKunse136KTmghjJ3D9oYumhMJGPg3Yj5ka+NkOseuJbXDNqb4r1U+Mc+ENI6vwybD4uDCQ4IRo+ZcKSdJgkB8QU/G1Krv7wS0QEFPNnc9+1oq76zVvHR/Nc1c8ueiw89f6xcRYjn2IM7XiDA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=eOGV/B59XmZj1cPqUathx2dxfnvAiXe2lvQNav0oTcM=; b=ldRODaXrOgy3kejj7FBYoeHfKpq81DeQMiGgtDHKhXb8FcUZlPoLI1Dxlz3magRjboPmo3EaL58AJ7zdCNjZKJBrD7pyJFeN0rUjURoAiqHzHL8nCGDA+06EnXPul6VxjgJiFH+tOX20sB0IeGNz+W/RtbojTdRPlvB5A9ZvhBlUqzd7a23NogzaN/5IoHK2I7O0gTp8YMwM7c6WU8uJcFN8mO6NXvF1Lwve95H59+pASn9O2uu9RAPuTp4TsCRziKKdHQu1nQtLL1DR6x/vpgZ6q8o9Ds1Eo7bfrI1q3/HbtVzVgzNIPISYU3C22C4uX4aruNauwvuE+M21rCmPBQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from DS0PR11MB6445.namprd11.prod.outlook.com (2603:10b6:8:c6::11) by PH0PR11MB5950.namprd11.prod.outlook.com (2603:10b6:510:14f::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6134.30; Wed, 1 Mar 2023 19:57:49 +0000 Received: from DS0PR11MB6445.namprd11.prod.outlook.com ([fe80::df74:96eb:3b1d:457]) by DS0PR11MB6445.namprd11.prod.outlook.com ([fe80::df74:96eb:3b1d:457%9]) with mapi id 15.20.6134.030; Wed, 1 Mar 2023 19:57:49 +0000 From: "Demeter, Miki" To: "rfc@edk2.groups.io" , "devel@edk2.groups.io" Subject: RFC Proposed Security Process Changes Thread-Topic: RFC Proposed Security Process Changes Thread-Index: AQHZTHcmOJUYj0c7Ak+puU+4FFMRQQ== Date: Wed, 1 Mar 2023 19:57:49 +0000 Message-ID: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=intel.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: DS0PR11MB6445:EE_|PH0PR11MB5950:EE_ x-ms-office365-filtering-correlation-id: 77c2526e-ed6c-403d-e4ee-08db1a8f3bf9 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: xWpVy/FvXeW3H6BkaDRIB+LVRVlsZly6eswfO/lStVuoJxamH8/N4gXhmCVzW3AZAmziiNHVaY6X7k1VdLgBTYfoit8p7L2h2dJlnuxLhW+jI4RUoZznJfaUr2hUgYABbxXPfkKSOJBKc/jng/b22wgT0pac9Q/MsPeITqdVSgHzCtW1lrYIMzMmBlw0R61rqtcEPlVJe+WUSGNoREyBgYgl+gpk+8Jh1Rh6zucWfF5RtI3wETSu/EZFOCSafBtXDcYhByuWhqhNIjh81JttFuHy+OCF1I4y0X4MkzqIyZZiG1tkFK9llSQsKJsRQEh4fx+IVlo+/EFRkfG3Xlodaxf/rHMxL7o0Os3k0nCKrcPQeoLgQbiI/Hg2plTS0WsvdDeoPSUWTAdcnkJbR1XB4ba3A7LwzVSLnaXfsUaaamnEJllG6ICFSU0fZcUbfINZjU/5nJb1lrBFvUIKS9jzahVrs9FH7Vr2ccFlBjxZzadI70PYEJyQ/lnwC02VQRyquij11//UVIq7a7BzvNDk7NuHUwMWzIHMx750uvf0DtmlE/Wprr7sjgpIChoi1GtmivSInd3lsojJbUg9O62oN664OLBhQpbCAKBvyeWOr/7htmj/Bw2kTRUgp/S172WKb6rW70zxezYOEBI1eiaH8oih7f6ciUkOru14cB/CuXWxzDu+QNQvFyvuxlU9EhZ4VhjVuKRR02ESSFeGhS2uA4N5DDcF3hWROy0GFt8JwXo= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DS0PR11MB6445.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230025)(366004)(376002)(346002)(396003)(136003)(39860400002)(451199018)(38070700005)(38100700002)(166002)(82960400001)(66556008)(122000001)(86362001)(33656002)(5660300002)(41300700001)(66476007)(2906002)(15650500001)(8676002)(66946007)(64756008)(55016003)(66446008)(21615005)(8936002)(52536014)(76116006)(9686003)(6506007)(26005)(186003)(110136005)(83380400001)(316002)(91956017)(478600001)(450100002)(40140700001)(7696005)(71200400001);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?Windows-1252?Q?mZhrgGBce5TyKhxutJpLVN9qSYghOJC9+ULEMg+cCzIMiDxY1Z0C9KUu?= =?Windows-1252?Q?EjPfECmCybP4FIBZS/+D0PLfovnadargeXPf0inwgAwsIjwQJXMbTcyB?= =?Windows-1252?Q?HLW7vGriTT3PI37IKcowsfmWHY297OwaNIrsCi5Nqo4vaEolP7afE6NA?= =?Windows-1252?Q?n3KyN/HYqQQYeIAAT6ixg6u/rwVwGNtb5Lxh3f0dDxb3V/UQRGTvcTnN?= =?Windows-1252?Q?cowHINHnLUloreZJf0dyyOJ/+pTgCFBfFafLEYls2UW2BbV5XKC1E5Y9?= =?Windows-1252?Q?WVkiU1WnXn882wa2z3TRdw9aYlebBp7MioYwMGuiYhbHnx6bgmqWOQMH?= =?Windows-1252?Q?LxIxO0HFgiX5wTaL+mVc2YM6VyzOnEtSNMgrPQwaTWLghhmuNdGl8DWF?= =?Windows-1252?Q?CFaIc4GFD4HfRihFtJSzkKRzTgS1T7sV+1xCLcC6e1wHsU4O4rK7lb4b?= =?Windows-1252?Q?xwlCUBMUu7hR28km2arrB50tR8GgtNKpE/f9anMD4TGDq7Ru8EbCkMpy?= =?Windows-1252?Q?ga4b9jGkK/hOFBDrxaBb4UwIcVEQ1nAy2A2jBRT6SiDI5yYqZCoHexeh?= =?Windows-1252?Q?Wbq66T0UNNyzc2SLM5J5cyzBfTwISCmjcuyzlcH6LqjEgidtkwLmfZuv?= =?Windows-1252?Q?x8UTYhsBvFdcI9NsgLsQN2V3a0N+qfHy4hL7F+sev0FXnqyxGIveFbhQ?= =?Windows-1252?Q?26U95+tJ+58zoivvrj5xJhX/hCvpp0sJXTaRov1rbfiTV+TmkHKFppwV?= =?Windows-1252?Q?bGAjUWlEGTDh2/B4joeb5ZbRkRt4ROQb9Mt6ZCxTDCtQR/9UHYb0mkvS?= =?Windows-1252?Q?tQkcCd1N3TM6KHAKCn4kjmHCvfotOGMz304+TbOmFuO2skTt82E3eIdb?= =?Windows-1252?Q?Y4LVYJlx/wqR8mCNjn6bUeU7wxSCjAxBDwRqssh1O1Sn5E3fn1cDWTPm?= =?Windows-1252?Q?WSezXNAoVitQGWfan1ItUXIKe4qEMWsLbdqT3W/wgzXYfhAlUSZzJ+l2?= =?Windows-1252?Q?yBz49jUy9pILsev4VNlIVvtuKJFO/uoGG+FsJwDcvuxMchiDQSBNZn5U?= =?Windows-1252?Q?TNV2kuH0iWtRBbGNldbvegkb9vSlEEpANZbGQ5jjEe0DYFYqczcyvvFz?= =?Windows-1252?Q?3y09b5rE0JlZ+/NhQyGWQEruJnH7y64YyEtT6GQuuDZ16AA6gIGOjQ9o?= =?Windows-1252?Q?sVReOrGS6nxizY0TcMIM71Mzj45imumw82LRc5Su7T8GhWYPARICFYrX?= =?Windows-1252?Q?il5zXwNlmuaHT3dRLgOMawUKk26IeatCyn9rO4LeC7Oe4Seu+7vviTKh?= =?Windows-1252?Q?Nmmezm5kjPwyjLgKDfmilUp4iijQf3s/cX3A/X+FDzEyrRsawSStUJU9?= =?Windows-1252?Q?4tDWGuD+beH2aFl6YT5ehu597HVDLeDXQtxqJCtyl1e9Gg6LoU2WprD2?= =?Windows-1252?Q?7nyE4fL9K5EVKEX2oFxVzSZVg8vyvsrpe9uxOZRNYwB+JOamWP+xRvmM?= =?Windows-1252?Q?kOM/gFhqmVvrm6/ufi5UFYyj6XTxYXQpkigT08f5Fy9MxH+P2wqGdsDB?= =?Windows-1252?Q?moOgOS1i53t9rTW6huGLDof7aeqH0AbnaGYEhsBqCG0dv7l/358wDZ8T?= =?Windows-1252?Q?szYiWbE7PgYleLmOJH1KyVKgxxMAo5eJbtRk1tdSHtrbQumxuCUOvHcx?= =?Windows-1252?Q?N3BzV5ecHgH/tp47vAC/Yfzzo8HywBzCh1rbz3Hb4jvl2rEJpgKu/A?= =?Windows-1252?Q?=3D=3D?= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: DS0PR11MB6445.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 77c2526e-ed6c-403d-e4ee-08db1a8f3bf9 X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Mar 2023 19:57:49.1310 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: eCY3aEo74rNa6EByCp5YfDLCB4Mo3IzL//2uaKt1aU12B78Z8ZrWvtlswW24T/S5iJUDu5bB/VR9gWBmsEc6ig== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB5950 Return-Path: miki.demeter@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_DS0PR11MB64458C74F96F5FE6CB00D4078DAD9DS0PR11MB6445namp_" --_000_DS0PR11MB64458C74F96F5FE6CB00D4078DAD9DS0PR11MB6445namp_ Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Hello everyone, Submitted for the community to evaluate and provide any feedback. We are lo= oking to move to GitHub Security Reporting and Security advisories. This ma= kes some minor changes to the Security reporting process and a big shift fo= r the Security advisories. Please take a moment to provide any feedback. We= will be selectively using the procedure below for some trial runs and will= report and changes or omissions that may be found in the proposed process. Process for GHSA =96 provided by Miki Demeter * Private Vulnerability Reporting =96 Reporter makes a probable securit= y issue * If security issue only GHSR =96 Security Policy to describe the pr= ocedure to report security issue (Sean B) * Validate that it is a security issue - Infosec Team will determine if= this is a security issue. This may require the enlistment of subject matte= r experts =96 If not deemed security issue ask reporter to submit Bugzilla. * If the issue is a security issue * GHSA Created - Infosec Team creates the GHSA * Add infosec team =96 Infosec add the team members, Maintainers,= reviewers and submitter (need Infosec team group) * CVSS Scoring - Infosec Team with assistance from submitter set = the CVSS Score * Assign CWEs - Infosec Team assigns appropriate CWEs * Allocate CVE # - Infosec Team allocates CVE# to reference issue * Add private fork - Infosec Team creates private fork for patch = work to be completed * Embargo period established - Infosec Team establishes the embargo = time period * Proposed Patch created or exists =96 OwnerAll discussion at the GH= SA patch level not file patch level) * Maintainers, Reviewers and Infosec Team =96 All parties evaluat= e patch * Validate Fix complete - Infosec Team * Level of Testing required to consider complete - infosec Team d= efines the level of testing necessary to validate. * Embargo Period Ends * GHSA PR Created - Publicly Visible at this point * Merged within 1 day * CVE Details Updated =96 Infosec team updates CVE Detail informatio= n and submits to Mitre and make public # Security Policy - Provided by Sean Brogan Tianocore Edk2 is an open source firmware project that is leveraged by and = combined into other projects to build the firmware for a given product. We = build and maintain edk2 knowing that there are many downstream repositories= and projects that derive or inherit significant code from this project. Bu= t, that said, in the firmware ecosystem there is a lot of variation and dif= ferentiation, and the license in this project allows flexibility for use wi= thout contribution back to Edk2. Therefore, any issues found here may or ma= y not exist in products derived from Edk2. ## Supported Versions Due to the usage model we generally only supply fixes to the master branch.= If requested, we may generate a release branch from a stable tag (up to on= e release back) and apply patches but given our downstream consumption mode= l this is generally not necessary. ## Reporting a Vulnerability Please do not report security vulnerabilities through public GitHub issues = or bugzilla. Instead please use Github Private vulnerability reporting, which is enabled= for the edk2 repository. This process is well documented by github in their documentation[here]. This process will allow us to privately discuss the issue, collaborate on a= solution, and then disclose the vulnerability. ## Preferred Languages We prefer all communications to be in English. ## Policy Tianocore Edk2 follows the principle of Coordinated Vulnerability Disclosur= e. More information is available here: * [ISO/IEC 29147:2018 on Vulnerability Disclosure] * [The CERT Guide to Coordinated Vulnerability Disclosure -- Miki Demeter (she/her/Miki) Security Researcher / FW Developer FST Intel Corporation Co-Chair, Network of Intel African-Ancestry(NIA) - Oregon NIA-Oregon Portland Women in Tech Best Speaker miki.demeter@intel.com 503.712.8030 (office) 971.248.0123 (cell) --_000_DS0PR11MB64458C74F96F5FE6CB00D4078DAD9DS0PR11MB6445namp_ Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable

Hello everyone,

 

Submitted for the c= ommunity to evaluate and provide any feedback. We are looking to move to Gi= tHub Security Reporting and Security advisories. This makes some minor chan= ges to the Security reporting process and a big shift for the Security advisories. Please take a moment to provi= de any feedback. We will be selectively using the procedure below for some = trial runs and will report and changes or omissions that may be found in th= e proposed process.

 

Process for GHSA =96 provided by Miki Demeter

 

 

  • Private Vulnerabi= lity Reporting =96 Reporter makes a probable security issue
    • =
    • If security issue= only GHSR =96 Security Policy to describe the procedure to report security= issue (Sean B)
  • Validate that it = is a security issue - Infosec Team will determine if this is a security iss= ue. This may require the enlistment of subject matter experts =96 If not de= emed security issue ask reporter to submit Bugzilla.
    • If the issue is a= security issue
      • GHSA Created - In= fosec Team creates the GHSA
      • Add infosec team =96 Infosec add the team members= , Maintainers, reviewers and submitter (need Infosec team group)=
      • CVSS Scoring= - Infosec Team with assistance from submitter set the CVSS Score
      • Assign CWEs= - Infosec Team assigns appropriate CWEs
      • Allocate CVE # - Infosec Team alloca= tes CVE# to reference issue
      • Add private fork - Infosec Team creates private f= ork for patch work to be completed
    • Embargo period es= tablished - Infosec Team establishes the embargo time period
    • Proposed Patch c= reated or exists =96 OwnerAll discussion at the GHSA patch level not file p= atch level)
      • Maintainers, Revi= ewers and Infosec Team =96 All parties evaluate patch
      • Validate Fix complete&n= bsp; - Infosec Team
      • Level of Testing required to consider complete - infosec = Team defines the level of testing necessary to validate.
      • Embargo Period En= ds
      • GHSA PR Created - Publicly Visible at this point
        • Merged within 1 d= ay
      • CVE Details Updat= ed =96 Infosec team updates CVE Detail information and submits to Mitre and= make public

     

     

     

     

     

    # Security Policy - Provided by Sean Brogan

     

    Tianocore Edk2 is an open source firmware project th= at is leveraged by and combined into other projects to build the firmware f= or a given product. We build and maintain edk2 knowing that there are many = downstream repositories and projects that derive or inherit significant code from this project. But, that said,= in the firmware ecosystem there is a lot of variation and differentiation,= and the license in this project allows flexibility for use without contrib= ution back to Edk2. Therefore, any issues found here may or may not exist in products derived from Edk2.=

     

    ## Supported Versions

     

    Due to the usage model we generally only supply fixe= s to the master branch. If requested, we may generate a release branch from= a stable tag (up to one release back) and apply patches but given our down= stream consumption model this is generally not necessary.

     

    ## Reporting a Vulnerability

     

    Please do not report security vulnerabilities throug= h public GitHub issues or bugzilla.

     

    Instead please use Github Private vulnerability repo= rting, which is enabled for the edk2 repository.

     

    This process is well documented by github in their d= ocumentation[here].=

     

    This process will allow us to privately discuss the = issue, collaborate on a solution, and then disclose the vulnerability.=

     

    ## Preferred Languages

     

    We prefer all communications to be in English.<= /o:p>

     

    ## Policy

     

    Tianocore Edk2 follows the principle of Coordinated = Vulnerability Disclosure.

    More information is available here:

     

    * [ISO/IEC 29147:2018 on Vulnerability Disclosure]

    * [The CERT Guide to Coordinated Vu= lnerability Disclosure

     

    -- =

    Miki Demeter (she/her/Miki)<= /span>

    Security Researcher / FW Developer<= /o:p>

    FST

    Intel Corporation

     

    Co-Chair, Network of I= ntel African-Ancestry(NIA) - Oregon

    NIA-Oregon<= /a>

     

    Portland Women in Tech Best Speaker

    miki.demeter@intel.com

    503.712.8030 (office)<= /p>

    971.248.0123 (cell)

     

--_000_DS0PR11MB64458C74F96F5FE6CB00D4078DAD9DS0PR11MB6445namp_--