RFC Proposed Security Process Changes

Demeter, Miki

Hello everyone,

Submitted for the community to evaluate and provide any feedback. We are looking to move to GitHub Security Reporting and Security advisories. This makes some minor changes to the Security reporting process and a big shift for the Security advisories. Please take a moment to provide any feedback. We will be selectively using the procedure below for some trial runs and will report and changes or omissions that may be found in the proposed process.

Process for GHSA – provided by Miki Demeter

* Private Vulnerability Reporting – Reporter makes a probable security issue
* If security issue only GHSR – Security Policy to describe the procedure to report security issue (Sean B)
* Validate that it is a security issue - Infosec Team will determine if this is a security issue. This may require the enlistment of subject matter experts – If not deemed security issue ask reporter to submit Bugzilla.
* If the issue is a security issue
* GHSA Created - Infosec Team creates the GHSA
* Add infosec team – Infosec add the team members, Maintainers, reviewers and submitter (need Infosec team group)
* CVSS Scoring - Infosec Team with assistance from submitter set the CVSS Score
* Assign CWEs - Infosec Team assigns appropriate CWEs
* Allocate CVE # - Infosec Team allocates CVE# to reference issue
* Add private fork - Infosec Team creates private fork for patch work to be completed
* Embargo period established - Infosec Team establishes the embargo time period
* Proposed Patch created or exists – OwnerAll discussion at the GHSA patch level not file patch level)
* Maintainers, Reviewers and Infosec Team – All parties evaluate patch
* Validate Fix complete - Infosec Team
* Level of Testing required to consider complete - infosec Team defines the level of testing necessary to validate.
* Embargo Period Ends
* GHSA PR Created - Publicly Visible at this point
* Merged within 1 day
* CVE Details Updated – Infosec team updates CVE Detail information and submits to Mitre and make public

# Security Policy - Provided by Sean Brogan

Tianocore Edk2 is an open source firmware project that is leveraged by and combined into other projects to build the firmware for a given product. We build and maintain edk2 knowing that there are many downstream repositories and projects that derive or inherit significant code from this project. But, that said, in the firmware ecosystem there is a lot of variation and differentiation, and the license in this project allows flexibility for use without contribution back to Edk2. Therefore, any issues found here may or may not exist in products derived from Edk2.

## Supported Versions

Due to the usage model we generally only supply fixes to the master branch. If requested, we may generate a release branch from a stable tag (up to one release back) and apply patches but given our downstream consumption model this is generally not necessary.

## Reporting a Vulnerability

Please do not report security vulnerabilities through public GitHub issues or bugzilla.

Instead please use Github Private vulnerability reporting, which is enabled for the edk2 repository.

This process is well documented by github in their documentation[here<https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability>].

This process will allow us to privately discuss the issue, collaborate on a solution, and then disclose the vulnerability.

## Preferred Languages

We prefer all communications to be in English.

## Policy

Tianocore Edk2 follows the principle of Coordinated Vulnerability Disclosure.
More information is available here:

* [ISO/IEC 29147:2018 on Vulnerability Disclosure<https://www.iso.org/standard/72311.html>]
* [The CERT Guide to Coordinated Vulnerability Disclosure<https://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_503340.pdf>

Miki Demeter (she/her/Miki)
Security Researcher / FW Developer
Intel Corporation

Co-Chair, Network of Intel African-Ancestry(NIA) - Oregon

Portland Women in Tech Best Speaker
503.712.8030 (office)
971.248.0123 (cell)