From nobody Thu Mar 28 22:00:46 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+100964+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100964+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1678391038; cv=none; d=zohomail.com; s=zohoarc; b=nlOHCgc2CBeiaus70FVyR9GTmD5qmrhyMKmO86Np2CvnL7CfOP+F9lkl3oiwm2c552RuY3YkpMp//ZoBEhJEGNuR+yKOm8oDJSerCjhcLjSN6JsUqjfCQkzq1uxZw3gSy3ZTCr0Drn3Ub6HkodK/YFAh5eB/C3gLds7jtnmXN90= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1678391038; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=FWm9mhZtKggoJSU6hNvrnyv5gmlk/kThCuHAu5c8rqY=; b=kpb0xi9IgKpzBoKYc/MR5IKBnYX5YxEh4kb6cihIKVMbiShssw4dngEWafJdDJ+CeHInPivzMiIlD2SY4Vogg5GDGbtW7FPKclIDpCSKCcIHFcjEddwisPFZkhhGftr8SGtZDSe37eaSj1vMIjdW4kwGFKvalEqCZUx051MAnc4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+100964+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1678391038019585.1182256754948; Thu, 9 Mar 2023 11:43:58 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id exf5YY1788612xCui2erxF6R; Thu, 09 Mar 2023 11:43:57 -0800 X-Received: from mail-pg1-f172.google.com (mail-pg1-f172.google.com [209.85.215.172]) by mx.groups.io with SMTP id smtpd.web10.547.1678391036995927683 for ; Thu, 09 Mar 2023 11:43:57 -0800 X-Received: by mail-pg1-f172.google.com with SMTP id y19so1739040pgk.5 for ; Thu, 09 Mar 2023 11:43:56 -0800 (PST) X-Gm-Message-State: MsiTx993oobhadwsqoMFxD53x1787277AA= X-Google-Smtp-Source: AK7set+FrQjSrDwbMpfWWMWxJbO4qpkfg5qoorVb+RPHxMbNXsQBmh8xNR3KW+jhtxs4tV8q8Qak+g== X-Received: by 2002:a62:5258:0:b0:5a9:bd0c:4704 with SMTP id g85-20020a625258000000b005a9bd0c4704mr21053105pfb.14.1678391036294; Thu, 09 Mar 2023 11:43:56 -0800 (PST) X-Received: from MININT-0U7P5GU.redmond.corp.microsoft.com ([2001:4898:80e8:0:48d7:5490:99ef:89de]) by smtp.gmail.com with ESMTPSA id e23-20020aa78c57000000b005a75d85c0c7sm11572471pfd.51.2023.03.09.11.43.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 09 Mar 2023 11:43:55 -0800 (PST) From: "Kun Qin" To: devel@edk2.groups.io Cc: Sean Brogan Subject: [edk2-devel] [PATCH v1 1/1] Define security policy in SECURITY.md file for repository Date: Thu, 9 Mar 2023 11:43:51 -0800 Message-Id: <20230309194351.1024-2-kuqin12@gmail.com> In-Reply-To: <20230309194351.1024-1-kuqin12@gmail.com> References: <20230309194351.1024-1-kuqin12@gmail.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,kuqin12@gmail.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1678391037; bh=FWm9mhZtKggoJSU6hNvrnyv5gmlk/kThCuHAu5c8rqY=; h=Cc:Date:From:Reply-To:Subject:To; b=YjLjfjw//t+84yLXVchzjDkWbE1VA12HY5QmtOwAAwFaVsA0KyZS9SDQMwtgDWeYH05 7tyenRIU2BMlxD3p1lyvrOrIxx9P08d2m39xJPYNE5fgHpC20Sf1hQ7KfYJXj5D9ihKvQ tUew0DgLaBnPd6i/4orl5jHptaXpvO/l0lI= X-ZohoMail-DKIM: pass (identity @groups.io) X-ZM-MESSAGEID: 1678391038918100004 Content-Type: text/plain; charset="utf-8" From: Sean Brogan Create SECURITY.md security policy for tianocore edk2 leveraging CVD and the Github Private Vulnerability Reporting process. Co-authored-by: Sean Brogan Signed-off-by: Kun Qin Reviewed-by: Leif Lindholm Reviewed-by: Rebecca Cran --- SECURITY.md | 33 ++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000000..bef046e91aa1 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,33 @@ +# Security Policy + +Tianocore Edk2 is an open source firmware project that is leveraged by and= combined into other projects to build the firmware for a given product. +We build and maintain edk2 knowing that there are many downstream reposito= ries and projects that derive or inherit significant code from this project. +But, that said, in the firmware ecosystem there is a lot of variation and = differentiation, and the license in this project allows +flexibility for use without contribution back to Edk2. Therefore, any issu= es found here may or may not exist in products derived from Edk2. + +## Supported Versions + +Due to the usage model we generally only supply fixes to the master branch= . If requested we may generate a release branch from a stable +tag and apply patches but given our downstream consumption model this is g= enerally not necessary. + +## Reporting a Vulnerability + +Please do not report security vulnerabilities through public GitHub issues= or bugzilla. + +Instead please use Github Private vulnerability reporting, which is enable= d for the edk2 repository. +This process is well documented by github in their documentation +[here](https://docs.github.com/en/code-security/security-advisories/guidan= ce-on-reporting-and-writing/privately-reporting-a-security-vulnerability#pr= ivately-reporting-a-security-vulnerability). + +This process will allow us to privately discuss the issue, collaborate on = a solution, and then disclose the vulnerability. + +## Preferred Languages + +We prefer all communications to be in English. + +## Policy + +Tianocore Edk2 follows the principle of Coordinated Vulnerability Disclosu= re. +More information is available here: + +* [ISO/IEC 29147:2018 on Vulnerability Disclosure](https://www.iso.org/sta= ndard/72311.html) +* [The CERT Guide to Coordinated Vulnerability Disclosure](https://resourc= es.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_503340.pdf) --=20 2.37.1.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#100964): https://edk2.groups.io/g/devel/message/100964 Mute This Topic: https://groups.io/mt/97504490/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-