-
Notifications
You must be signed in to change notification settings - Fork 345
GHSA GitHub Security Advisories Proceess
Vincent Zimmer edited this page Jul 9, 2024
·
1 revision
- If security issue only GHSR (GitHub Security Report) - Security Policy to describe the procedure to report security issue (Sean B completed)
Validate that it is a security issue - Infosec Team will determine if report is a security issue. This may require the enlistment of subject matter experts - If not deemed security issue, ask reporter to submit Bugzilla
- If the report is determined to be a security issue
- GHSA Created - Infosec Team may create the GHSA (if from Bugzilla) but typically this is created by the reporter
- Add infosec team - Infosec add the team members, Maintainers, reviewers and submitter (need Infosec team group - completed)
- CVSS Scoring - Infosec Team with assistance from submitter set the CVSS Score
- Assign CWEs - Infosec Team assigns appropriate CWEs
- Allocate CVE # - Infosec Team allocates CVE# to reference issue
- Add private fork - Infosec Team creates private fork for patch work to be completed
- Proposed Patch created or exists
- Developer pushes branch to private fork (DevName-FixDesc-version)
- Developer submits Pull Request to private fork
- Developer Leaves comment using the @ mentions to alert Maintainers & Reviewers
- All discussion takes place within the GHSA.
- Discussion should use @ mentions to tag people / teams for reviews or comments
- If conversation is needed for documentation Comments need to be at the Advisory comments not file or line
- Submitter must add Maintainers & Reviewers to Pull Request
- Maintainers, Reviewers and Infosec Team - All parties evaluate Pull Request
- Validate Fix complete - Infosec Team, SME(s)
- Level of Testing required to consider complete - Infosec Team defines the level of testing necessary to validate.
- Close unused Pull Requests
- Embargo period established - Infosec Team establishes the embargo time period
- 60 Day under normal circumstances.
- Exception process is possible based on external factors
- Embargo Period Ends
- GHSA PR (Pull Request) Created - GHSA Info is publicly visible at this point
- Merged to Main branch within 1 day – under normal circumstances
- This means maintainer (and/or from infosec participant or community manager or steward) will sign-off via pull request (and avoid patch email review)
- To ensure no clerical/formatting overhead recommend running local CI linting tools while in embargo prior to making public
- Publish GHSA
- Merged to Main branch within 1 day – under normal circumstances
- CVE Details Updated - Infosec team updates CVE Detail information and submits to Mitre and make CVE public
Home
Getting Started with EDK II
Build Instructions
EDK II Platforms
EDK II Documents
EDK II Release Planning
Reporting Issues
Reporting Security Issues
Community Information
Inclusive Language
Additional Projects & Tasks
Training
Community Support
Community Virtual Meetings
GHSA GitHub Security Advisories Proceess (Draft)