[PATCH v1 0/1] Define security policy in SECURITY.md file for repository

[PATCH v1 0/1] Define security policy in SECURITY.md file for repository

[Kun Qin]

This change added a markdown file as a policy guideline for Tianocore EDK2
community to handle security sensitive reports.

Patch v1 branch: https://github.com/kuqin12/edk2/tree/patch-1

Cc: Andrew Fish <afish@apple.com>
Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Miki Demeter <miki.demeter@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>

Sean Brogan (1):
  Define security policy in SECURITY.md file for repository

 SECURITY.md | 33 ++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 SECURITY.md

-- 
2.37.1.windows.1

[PATCH v1 1/1] Define security policy in SECURITY.md file for repository

[Kun Qin]

From: Sean Brogan <sean.brogan@microsoft.com>

Create SECURITY.md security policy for tianocore edk2 leveraging CVD and
the Github Private Vulnerability Reporting process.

Co-authored-by: Sean Brogan <sean.brogan@microsoft.com>
Signed-off-by: Kun Qin <kun.qin@microsoft.com>
---
 SECURITY.md | 33 ++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000000..bef046e91aa1
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,33 @@
+# Security Policy
+
+Tianocore Edk2 is an open source firmware project that is leveraged by and combined into other projects to build the firmware for a given product.
+We build and maintain edk2 knowing that there are many downstream repositories and projects that derive or inherit significant code from this project.
+But, that said, in the firmware ecosystem there is a lot of variation and differentiation, and the license in this project allows
+flexibility for use without contribution back to Edk2. Therefore, any issues found here may or may not exist in products derived from Edk2.
+
+## Supported Versions
+
+Due to the usage model we generally only supply fixes to the master branch. If requested we may generate a release branch from a stable
+tag and apply patches but given our downstream consumption model this is generally not necessary.
+
+## Reporting a Vulnerability
+
+Please do not report security vulnerabilities through public GitHub issues or bugzilla.
+
+Instead please use Github Private vulnerability reporting, which is enabled for the edk2 repository.
+This process is well documented by github in their documentation
+[here](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability).
+
+This process will allow us to privately discuss the issue, collaborate on a solution, and then disclose the vulnerability.
+
+## Preferred Languages
+
+We prefer all communications to be in English.
+
+## Policy
+
+Tianocore Edk2 follows the principle of Coordinated Vulnerability Disclosure.
+More information is available here:
+
+* [ISO/IEC 29147:2018 on Vulnerability Disclosure](https://www.iso.org/standard/72311.html)
+* [The CERT Guide to Coordinated Vulnerability Disclosure](https://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_503340.pdf)
-- 
2.37.1.windows.1

Re: [PATCH v1 0/1] Define security policy in SECURITY.md file for repository

[Demeter, Miki]

[-- Attachment #1: Type: text/plain, Size: 1452 bytes --]

Ack

Need to get this acked by others in infosec too


--
Miki Demeter (she/her/Miki)
Security Researcher / FW Developer
FST
Intel Corporation

Co-Chair, Network of Intel African-Ancestry(NIA) - Oregon
NIA-Oregon<https://intel.sharepoint.com/sites/NIA>

Portland Women in Tech Best Speaker
miki.demeter@intel.com<mailto:miki.demeter@intel.com>
503.712.8030 (office)
971.248.0123 (cell)


From: Kun Qin <kuqin12@gmail.com>
Date: Thursday, March 9, 2023 at 1:44 PM
To: devel@edk2.groups.io <devel@edk2.groups.io>
Cc: Andrew Fish <afish@apple.com>, Leif Lindholm <quic_llindhol@quicinc.com>, Kinney, Michael D <michael.d.kinney@intel.com>, Demeter, Miki <miki.demeter@intel.com>, Sean Brogan <sean.brogan@microsoft.com>
Subject: [PATCH v1 0/1] Define security policy in SECURITY.md file for repository
This change added a markdown file as a policy guideline for Tianocore EDK2
community to handle security sensitive reports.

Patch v1 branch: https://github.com/kuqin12/edk2/tree/patch-1

Cc: Andrew Fish <afish@apple.com>
Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Miki Demeter <miki.demeter@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>

Sean Brogan (1):
  Define security policy in SECURITY.md file for repository

 SECURITY.md | 33 ++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 SECURITY.md

--
2.37.1.windows.1

[-- Attachment #2: Type: text/html, Size: 6398 bytes --]

Re: [edk2-devel] [PATCH v1 1/1] Define security policy in SECURITY.md file for repository

[Rebecca Cran]

Reviewed-by: Rebecca Cran <rebecca@bsdio.com>


On 3/9/23 12:43 PM, Kun Qin wrote:
> From: Sean Brogan <sean.brogan@microsoft.com>
>
> Create SECURITY.md security policy for tianocore edk2 leveraging CVD and
> the Github Private Vulnerability Reporting process.
>
> Co-authored-by: Sean Brogan <sean.brogan@microsoft.com>
> Signed-off-by: Kun Qin <kun.qin@microsoft.com>
> ---
>   SECURITY.md | 33 ++++++++++++++++++++
>   1 file changed, 33 insertions(+)
>
> diff --git a/SECURITY.md b/SECURITY.md
> new file mode 100644
> index 000000000000..bef046e91aa1
> --- /dev/null
> +++ b/SECURITY.md
> @@ -0,0 +1,33 @@
> +# Security Policy
> +
> +Tianocore Edk2 is an open source firmware project that is leveraged by and combined into other projects to build the firmware for a given product.
> +We build and maintain edk2 knowing that there are many downstream repositories and projects that derive or inherit significant code from this project.
> +But, that said, in the firmware ecosystem there is a lot of variation and differentiation, and the license in this project allows
> +flexibility for use without contribution back to Edk2. Therefore, any issues found here may or may not exist in products derived from Edk2.
> +
> +## Supported Versions
> +
> +Due to the usage model we generally only supply fixes to the master branch. If requested we may generate a release branch from a stable
> +tag and apply patches but given our downstream consumption model this is generally not necessary.
> +
> +## Reporting a Vulnerability
> +
> +Please do not report security vulnerabilities through public GitHub issues or bugzilla.
> +
> +Instead please use Github Private vulnerability reporting, which is enabled for the edk2 repository.
> +This process is well documented by github in their documentation
> +[here](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability).
> +
> +This process will allow us to privately discuss the issue, collaborate on a solution, and then disclose the vulnerability.
> +
> +## Preferred Languages
> +
> +We prefer all communications to be in English.
> +
> +## Policy
> +
> +Tianocore Edk2 follows the principle of Coordinated Vulnerability Disclosure.
> +More information is available here:
> +
> +* [ISO/IEC 29147:2018 on Vulnerability Disclosure](https://www.iso.org/standard/72311.html)
> +* [The CERT Guide to Coordinated Vulnerability Disclosure](https://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_503340.pdf)

Re: [edk2-devel] [PATCH v1 0/1] Define security policy in SECURITY.md file for repository

[Kevin@Insyde]

[-- Attachment #1.1: Type: text/html, Size: 6799 bytes --]

[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 2199 bytes --]

Re: [PATCH v1 0/1] Define security policy in SECURITY.md file for repository

[Leif Lindholm]

On 2023-03-09 19:43, Kun Qin wrote:
> This change added a markdown file as a policy guideline for Tianocore EDK2
> community to handle security sensitive reports.
> 
> Patch v1 branch: https://github.com/kuqin12/edk2/tree/patch-1
> 
> Cc: Andrew Fish <afish@apple.com>
> Cc: Leif Lindholm <quic_llindhol@quicinc.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Miki Demeter <miki.demeter@intel.com>
> Cc: Sean Brogan <sean.brogan@microsoft.com>
> 
> Sean Brogan (1):
>    Define security policy in SECURITY.md file for repository
> 
>   SECURITY.md | 33 ++++++++++++++++++++
>   1 file changed, 33 insertions(+)
>   create mode 100644 SECURITY.md

Nitpick: edk2 is alternaltingly capitalised or not in the readme.
But

Reviewed-by: Leif Lindholm <quic_llindhol@quicinc.com>