Project Mu Security Policy¶
Project Mu is an open source firmware project that is leveraged by and combined into other projects to build the firmware for a given product. We build and maintain this code with the intent that any consuming projects can use this code as-is. If features or fixes are necessary we ask that they contribute them back to the project. But, that said, in the firmware ecosystem there is a lot of variation and differentiation, and the license in this project allows flexibility for use without contribution back to Project Mu. Therefore, any issues found here may or may not exist in products using Project Mu.
Due to the usage model we generally only supply fixes to the most recent release branch (or main). For a serious vulnerability we may patch older release branches.
Project Mu contains code that is available and/or originally authored in other repositories (see https://github.com/tianocore/edk2 as one such example). For any vulnerability found, we may be subject to their security policy and may need to work with those groups to resolve amicably and patch the "upstream". This might involve additional time to release and/or additional confidentiality requirements.
Reporting a Vulnerability¶
Please do not report security vulnerabilities through public GitHub issues.
Instead please use Github Private vulnerability reporting, which is enabled for each Project Mu repository. This process is well documented by github in their documentation here.
This process will allow us to privately discuss the issue, collaborate on a solution, and then disclose the vulnerability.
We prefer all communications to be in English.
Microsoft follows the principle of Coordinated Vulnerability Disclosure.