mu_silicon_arm_tiano/SECURITY.md

# Project Mu Security Policy

Project Mu is an open source firmware project that is leveraged by and combined into
other projects to build the firmware for a given product.  We build and maintain this
code with the intent that any consuming projects can use this code as-is.  If features
or fixes are necessary we ask that they contribute them back to the project.  **But**, that
said, in the firmware ecosystem there is a lot of variation and differentiation, and
the license in this project allows flexibility for use without contribution back to
Project Mu. Therefore, any issues found here may or may not exist in products using Project Mu.

## Supported Versions

Due to the usage model we generally only supply fixes to the most recent release branch (or main).
For a serious vulnerability we may patch older release branches.

## Additional Notes

Project Mu contains code that is available and/or originally authored in other
repositories (see <https://github.com/tianocore/edk2> as one such example).  For any
vulnerability found, we may be subject to their security policy and may need to work
with those groups to resolve amicably and patch the "upstream".  This might involve
additional time to release and/or additional confidentiality requirements.

## Reporting a Vulnerability

**Please do not report security vulnerabilities through public GitHub issues.**

Instead please use **Github Private vulnerability reporting**, which is enabled for each Project Mu
repository. This process is well documented by github in their documentation [here](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability).

This process will allow us to privately discuss the issue, collaborate on a solution, and then disclose the vulnerability.

## Preferred Languages

We prefer all communications to be in English.

## Policy

Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://www.microsoft.com/en-us/msrc/cvd).
Repo File Sync: Synced file(s) with microsoft/mu_devops (#24) Synced local file(s) with [microsoft/mu_devops](https://github.com/microsoft/mu_devops). 🤖: View the [Repo File Sync Configuration File](https://github.com/microsoft/mu_devops/blob/main/.sync/Files.yml) to see how files are synced. --- This PR was created automatically by the [repo-file-sync-action](https://github.com/BetaHuhn/repo-file-sync-action) workflow run [#3578665266](https://github.com/microsoft/mu_devops/actions/runs/3578665266) Signed-off-by: Project Mu UEFI Bot <uefibot@microsoft.com> 2022-11-30 19:34:12 +03:00			`# Project Mu Security Policy`

			`Project Mu is an open source firmware project that is leveraged by and combined into`
			`other projects to build the firmware for a given product. We build and maintain this`
			`code with the intent that any consuming projects can use this code as-is. If features`
			`or fixes are necessary we ask that they contribute them back to the project. But, that`
			`said, in the firmware ecosystem there is a lot of variation and differentiation, and`
			`the license in this project allows flexibility for use without contribution back to`
			`Project Mu. Therefore, any issues found here may or may not exist in products using Project Mu.`

			`## Supported Versions`

			`Due to the usage model we generally only supply fixes to the most recent release branch (or main).`
			`For a serious vulnerability we may patch older release branches.`

			`## Additional Notes`

			`Project Mu contains code that is available and/or originally authored in other`
			`repositories (see <https://github.com/tianocore/edk2> as one such example). For any`
			`vulnerability found, we may be subject to their security policy and may need to work`
			`with those groups to resolve amicably and patch the "upstream". This might involve`
			`additional time to release and/or additional confidentiality requirements.`

			`## Reporting a Vulnerability`

			`Please do not report security vulnerabilities through public GitHub issues.`

			`Instead please use Github Private vulnerability reporting, which is enabled for each Project Mu`
			`repository. This process is well documented by github in their documentation [here](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability).`

			`This process will allow us to privately discuss the issue, collaborate on a solution, and then disclose the vulnerability.`

			`## Preferred Languages`

			`We prefer all communications to be in English.`

			`## Policy`

			`Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://www.microsoft.com/en-us/msrc/cvd).`