On the EDK2-Devel list, Mike Kenney of Intel announced the creation of the Tianocore Bugzilla Server, and the new EDK2-bugs mailing list, which tracks changes to the bug database. The Tianocore project is going to migrate from the Github bug database to their own Bugzilla-based one. The announcement mentions a special case for UEFI security issues:
There is one special Product type on the Bugzilla server called “Tianocore Security Issues”. If you believe you have discovered a security issue, then you must enter the issue using the “Tianocore Security Issues” Product. The issue will be evaluated to determine if it really is a security issue or not. NOTE: Never any security issue details in email.
For full details, see Mike’s post:
Hmm, No posts yet to the new list, at least nothing has been archived, yet there are 39 bugs in the database, I would have expected at least 39 posts in the archives…. The Tianocore Security Advisory list never seemed to work. The Intel Security Advisories list never seemed to work. Let’s hope the EDK2-bugs list works…