Hi,
Currently, we generally follow below process to handle security bugs.
But there're no document to describe the detailed working flow. There're
also discussions on lacking of important information, poor issue description
and no timely notification on update, etc.
"0 - New Security Bug"
-> "1 - Triage"
-> "2 - Mitigation"
-> "3 - Embargo"
-> "4 - Disclosure"
-> "5 - Exit";
I have a proposal at following page to elaborate the process and try to address
all problems reported so far. Following content is for discussion only. Once the
process is finalized, it will be moved to official edk2 wiki page.
https://github.com/jwang36/tianocore.github.io/wiki/Proposal-of-security-issue-process
Any opinions and suggestions are welcomed.
Regards,
Wang, Jian J
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#38948): https://edk2.groups.io/g/devel/message/38948
Mute This Topic: https://groups.io/mt/31055577/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
