Please update Security Reporting documentation

[eslerm]

Documentation suggests that Bugzilla should be used to report security issues, but automated account creation is disabled (and the listed email-list administrator's address results in undelivered mail).

TianoCore's GHSA Documentation is labeled as a draft.

I reported an issue to https://github.com/tianocore/edk2/security three weeks ago. Is there another way to report vulnerabilities?

Please consider adding a SECURITY.md file to this repo with a security policy explaining how to contact TianoCore's security team.

Could reporting Issues be re-enabled on this repo since bugzilla is closed?

[kevindavisinsyde]

@tianocore/tianocore-infosec-team

[kevindavisinsyde]

Thanks for pinging us on this. Your original security report has been raised.

FYI…TianoCore disabled the ability for developers to create Bugzilla account on their own because fake accounts were being created and spam was being added to existing bugs.

Yes, during the transfer of responsibility we missed changing the banner on Bugzilla. Now fixed.

Any developer that needs a Bugzilla account must email one of the admins. The admin verifies the request, creates the account with a strong password, and emails the requestor with the password so they can change it to their own password.

The TianoCore wiki pages list additional admin email addresses.

https://github.com/tianocore/tianocore.github.io/wiki/Reporting-Issues

There is also a Wiki page for reporting Security Issues. A SECURITY.md file could/will contain the same content or a link to this Wiki page.

https://github.com/tianocore/tianocore.github.io/wiki/Reporting-Security-Issues

[eslerm]

Thanks @kevindavisinsyde! Appreciate that a new admin was set \o/

[eslerm]

Thank you for re-opening GitHub issues and releasing 11 CVE patches through GHSA notices 🎉

Appreciate the work @jkmathews, @Flickdm, and everyone else involved.