mu_silicon_intel_tiano/SECURITY.md

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

40 строки
2.1 KiB
Markdown
Исходник Постоянная ссылка Обычный вид История

# Project Mu Security Policy
Project Mu is an open source firmware project that is leveraged by and combined into
other projects to build the firmware for a given product. We build and maintain this
code with the intent that any consuming projects can use this code as-is. If features
or fixes are necessary we ask that they contribute them back to the project. **But**, that
said, in the firmware ecosystem there is a lot of variation and differentiation, and
the license in this project allows flexibility for use without contribution back to
Project Mu. Therefore, any issues found here may or may not exist in products using Project Mu.
## Supported Versions
Due to the usage model we generally only supply fixes to the most recent release branch (or main).
For a serious vulnerability we may patch older release branches.
## Additional Notes
Project Mu contains code that is available and/or originally authored in other
repositories (see <https://github.com/tianocore/edk2> as one such example). For any
vulnerability found, we may be subject to their security policy and may need to work
with those groups to resolve amicably and patch the "upstream". This might involve
additional time to release and/or additional confidentiality requirements.
## Reporting a Vulnerability
**Please do not report security vulnerabilities through public GitHub issues.**
Instead please use **Github Private vulnerability reporting**, which is enabled for each Project Mu
repository. This process is well documented by github in their documentation [here](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability).
This process will allow us to privately discuss the issue, collaborate on a solution, and then disclose the vulnerability.
## Preferred Languages
We prefer all communications to be in English.
## Policy
Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://www.microsoft.com/en-us/msrc/cvd).