On 12/2/20 2:17 PM, P J P wrote: > +-- On Tue, 1 Dec 2020, Philippe Mathieu-Daudé wrote --+ > | Is it possible to release the reproducer to the community, so we can work > on > | a fix and test it? > > * No, we can not release/share reproducers on a public list. > > * We can request reporters to do so by their volition. > [...] > > * Even then, we'll need to ask reporter's permission before sharing their > reproducers on a public list OR with non-members. > > * Best is if reporters share/release reproducers themselves. Maybe we can > have > a public git repository and they can send a PR to include their reproducers > in the repository.
While EDK2 security workflow has its own drawbacks (inherent to the project), a fair part is to ask the reporter to attach its reproducer to the private BZ, then when the embargo expires the BZ becomes public (as the reproducer). Thus the community can look at how the bug was handled, how it was reviewed/tested, by who, etc. https://github.com/tianocore/tianocore.github.io/wiki/Reporting-Security-Issues > > * That way multiple reproducers for the same issue can be held together.
