Reviewed-by: Rebecca Cran <rebe...@bsdio.com>
On 3/9/23 12:43 PM, Kun Qin wrote:
From: Sean Brogan <sean.bro...@microsoft.com> Create SECURITY.md security policy for tianocore edk2 leveraging CVD and the Github Private Vulnerability Reporting process. Co-authored-by: Sean Brogan <sean.bro...@microsoft.com> Signed-off-by: Kun Qin <kun....@microsoft.com> --- SECURITY.md | 33 ++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000000..bef046e91aa1 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,33 @@ +# Security Policy + +Tianocore Edk2 is an open source firmware project that is leveraged by and combined into other projects to build the firmware for a given product. +We build and maintain edk2 knowing that there are many downstream repositories and projects that derive or inherit significant code from this project. +But, that said, in the firmware ecosystem there is a lot of variation and differentiation, and the license in this project allows +flexibility for use without contribution back to Edk2. Therefore, any issues found here may or may not exist in products derived from Edk2. + +## Supported Versions + +Due to the usage model we generally only supply fixes to the master branch. If requested we may generate a release branch from a stable +tag and apply patches but given our downstream consumption model this is generally not necessary. + +## Reporting a Vulnerability + +Please do not report security vulnerabilities through public GitHub issues or bugzilla. + +Instead please use Github Private vulnerability reporting, which is enabled for the edk2 repository. +This process is well documented by github in their documentation +[here](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability). + +This process will allow us to privately discuss the issue, collaborate on a solution, and then disclose the vulnerability. + +## Preferred Languages + +We prefer all communications to be in English. + +## Policy + +Tianocore Edk2 follows the principle of Coordinated Vulnerability Disclosure. +More information is available here: + +* [ISO/IEC 29147:2018 on Vulnerability Disclosure](https://www.iso.org/standard/72311.html) +* [The CERT Guide to Coordinated Vulnerability Disclosure](https://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_503340.pdf)
-=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#102027): https://edk2.groups.io/g/devel/message/102027 Mute This Topic: https://groups.io/mt/97504490/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
