Repo File Sync: synced file(s) with microsoft/mu_devops (#59)

microsoft · Feb 2, 2023 · 124616f · 124616f
1 parent 7cbed96
commit 124616f
Show file tree

Hide file tree

Showing 4 changed files with 66 additions and 0 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -28,6 +28,8 @@ updates:
     schedule:
       interval: "weekly"
       day: "monday"
+      timezone: "America/Los_Angeles"
+      time: "06:00"
     commit-message:
       prefix: "GitHub Action"
     labels:
@@ -37,6 +39,8 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+      timezone: "America/Los_Angeles"
+      time: "01:00"
     commit-message:
       prefix: "pip"
     labels:

diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -12,10 +12,26 @@ For each item, place an "x" in between `[` and `]` if true. Example: `[x]`.
 _(you can also check items in the GitHub UI)_
 
 - [ ] Impacts functionality?
+  - **Functionality** - Does the change ultimately impact how firmware functions?
+  - Examples: Add a new library, publish a new PPI, update an algorithm, ...
 - [ ] Impacts security?
+  - **Security** - Does the change have a direct security impact on an application,
+    flow, or firmware?
+  - Examples: Crypto algorithm change, buffer overflow fix, parameter
+    validation improvement, ...
 - [ ] Breaking change?
+  - **Breaking change** - Will anyone consuming this change experience a break
+    in build or boot behavior?
+  - Examples: Add a new library class, move a module to a different repo, call
+    a function in a new library class in a pre-existing module, ...
 - [ ] Includes tests?
+  - **Tests** - Does the change include any explicit test code?
+  - Examples: Unit tests, integration tests, robot tests, ...
 - [ ] Includes documentation?
+  - **Documentation** - Does the change contain explicit documentation additions
+    outside direct code modifications (and comments)?
+  - Examples: Update readme file, add feature readme file, link to documentation
+    on an a separate Web page, ...
 
 ## How This Was Tested
 

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -18,6 +18,11 @@ section of the relevant Project Mu GitHub repo.
 Every Project Mu repo has an `Issues` section. Bug reports, feature requests, and documentation requests can all be
 submitted in the issues section.
 
+## Security Vulnerabilities
+
+Please review the repos `Security Policy` but in general every Project Mu repo has `Private vulnerability reporting`
+enabled.  Please use the security tab to report a potential issue.  
+
 ### Identify Where to Report
 
 Project Mu is distributed across multiple repositories. Use features such as issues and discussions in the repository

diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,41 @@
+# Project Mu Security Policy
+
+Project Mu is an open source firmware project that is leveraged by and combined into
+other projects to build the firmware for a given product.  We build and maintain this
+code with the intent that any consuming projects can use this code as-is.  If features
+or fixes are necessary we ask that they contribute them back to the project.  **But**, that
+said, in the firmware ecosystem there is a lot of variation and differentiation, and
+the license in this project allows flexibility for use without contribution back to
+Project Mu. Therefore, any issues found here may or may not exist in products using Project Mu.  
+
+
+## Supported Versions
+
+Due to the usage model we generally only supply fixes to the most recent release branch (or main).
+For a serious vulnerability we may patch older release branches.
+
+## Additional Notes
+
+Project Mu contains code that is available and/or originally authored in other
+repositories (see <https://github.com/tianocore/edk2> as one such example).  For any
+vulnerability found, we may be subject to their security policy and may need to work
+with those groups to resolve amicably and patch the "upstream".  This might involve 
+additional time to release and/or additional confidentiality requirements.
+
+## Reporting a Vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead please use **Github Private vulnerability reporting**, which is enabled for each Project Mu
+repository. This process is well documented by github in their documentation [here](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability).
+
+This process will allow us to privately discuss the issue, collaborate on a solution, and then disclose the vulnerability.
+
+
+## Preferred Languages
+
+We prefer all communications to be in English.
+
+## Policy
+
+Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://www.microsoft.com/en-us/msrc/cvd).