From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) by mx.groups.io with SMTP id smtpd.web10.64563.1680005759485676083 for ; Tue, 28 Mar 2023 05:15:59 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="signature has expired" header.i=@bsdio.com header.s=fm3 header.b=MA+6B0nL; spf=pass (domain: bsdio.com, ip: 66.111.4.25, mailfrom: rebecca@bsdio.com) Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 8A9485C014E; Tue, 28 Mar 2023 08:15:58 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Tue, 28 Mar 2023 08:15:58 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bsdio.com; h=cc :cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:sender:subject:subject:to:to; s=fm3; t= 1680005758; x=1680092158; bh=EUocxmyaRRWUTdRegifBwUBCzoMLv7vNjeJ gpAwcqCc=; b=MA+6B0nLLxrwL9TP6UX2M+K+vc/X9t1+ca4amyQOcrXu167OFA7 RACFDr10IhhyH1Q79H9dSLe6EQbo0I1ctu7qSeWgLw2YZKvTcEm/fMh1P4L6Qwso UspkUWNAb9aXIiIt5zOkz/iKH/UvP1CiaYWEYwcwVaNiUFe9SfmouApef60dVbOP GKXPbKfLD2EEzNiXPkgAUTPi7CI0DcxkVY6+da0iv5iTxUd8RbuhbBO9X/WeIEuE HjRw4W+U63GxgRhOVNikBgdQvJIeVarTR77pfx13chr3P18zK43YTdcosCkj7klA 2NWd+Wy7p1HNaDIHVpBKCvRvTS95HUY1KZQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:sender:subject:subject:to:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t= 1680005758; x=1680092158; bh=EUocxmyaRRWUTdRegifBwUBCzoMLv7vNjeJ gpAwcqCc=; b=h4xS+H3NtWvUYzW3jaVf6u6QzypjDV2ID86PzDhlFdPkmdQij8P RrDNL8UJZszeIKZwIwaxaB/gkd1vi8s0piWPLmhLVzcAilc3oTXm5L4xZNhrEzNb GGAuMWO+bGzS6X7kU/w9X0pO8Tf1LWl5KeTrJKprrL8Sf+V/PzBUjznkv4nmT5oG ozYD2HvKWuPLyqqMMgCAZruVeNeeqLMH7viPyy3Bg/wTOEQZ5K4Lq7ECmguM41gS /7kofYcsOsMs7hU5uMKlzVfvHFhXeBYy00w/q1XkA9EpKNQDZwZ/TXSoobW2BK+N FKGSdmCjTYVJjQAojMkl3oCOQVDtRdi0ELQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrvdehgedggeelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepkfffgggfuffvvehfhfgjtgfgsehtjeertddtfeejnecuhfhrohhmpeftvggs vggttggrucevrhgrnhcuoehrvggsvggttggrsegsshguihhordgtohhmqeenucggtffrrg htthgvrhhnpedvheegvdehvdevgeehjefhleekheetvdetheevleehfeeufeefhfehhfei jeduvdenucffohhmrghinhepghhithhhuhgsrdgtohhmpdhishhordhorhhgpdgtmhhurd gvughunecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhep rhgvsggvtggtrgessghsughiohdrtghomh X-ME-Proxy: Feedback-ID: i5b994698:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 28 Mar 2023 08:15:57 -0400 (EDT) Message-ID: Date: Tue, 28 Mar 2023 06:15:56 -0600 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.9.0 Subject: Re: [edk2-devel] [PATCH v1 1/1] Define security policy in SECURITY.md file for repository To: devel@edk2.groups.io, kuqin12@gmail.com Cc: Sean Brogan References: <20230309194351.1024-1-kuqin12@gmail.com> <20230309194351.1024-2-kuqin12@gmail.com> From: "Rebecca Cran" In-Reply-To: <20230309194351.1024-2-kuqin12@gmail.com> Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Reviewed-by: Rebecca Cran On 3/9/23 12:43 PM, Kun Qin wrote: > From: Sean Brogan > > Create SECURITY.md security policy for tianocore edk2 leveraging CVD and > the Github Private Vulnerability Reporting process. > > Co-authored-by: Sean Brogan > Signed-off-by: Kun Qin > --- > SECURITY.md | 33 ++++++++++++++++++++ > 1 file changed, 33 insertions(+) > > diff --git a/SECURITY.md b/SECURITY.md > new file mode 100644 > index 000000000000..bef046e91aa1 > --- /dev/null > +++ b/SECURITY.md > @@ -0,0 +1,33 @@ > +# Security Policy > + > +Tianocore Edk2 is an open source firmware project that is leveraged by and combined into other projects to build the firmware for a given product. > +We build and maintain edk2 knowing that there are many downstream repositories and projects that derive or inherit significant code from this project. > +But, that said, in the firmware ecosystem there is a lot of variation and differentiation, and the license in this project allows > +flexibility for use without contribution back to Edk2. Therefore, any issues found here may or may not exist in products derived from Edk2. > + > +## Supported Versions > + > +Due to the usage model we generally only supply fixes to the master branch. If requested we may generate a release branch from a stable > +tag and apply patches but given our downstream consumption model this is generally not necessary. > + > +## Reporting a Vulnerability > + > +Please do not report security vulnerabilities through public GitHub issues or bugzilla. > + > +Instead please use Github Private vulnerability reporting, which is enabled for the edk2 repository. > +This process is well documented by github in their documentation > +[here](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability). > + > +This process will allow us to privately discuss the issue, collaborate on a solution, and then disclose the vulnerability. > + > +## Preferred Languages > + > +We prefer all communications to be in English. > + > +## Policy > + > +Tianocore Edk2 follows the principle of Coordinated Vulnerability Disclosure. > +More information is available here: > + > +* [ISO/IEC 29147:2018 on Vulnerability Disclosure](https://www.iso.org/standard/72311.html) > +* [The CERT Guide to Coordinated Vulnerability Disclosure](https://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_503340.pdf)