Reporting a Security Issue

If you have information about a security issue or vulnerability with a product that may be due to its UEFI-based firmware, please send an e-mail to security@uefi.org.  Encrypt sensitive information using our PGP public key.

Please provide as much information as possible, including:

  • The products and versions affected
  • Detailed description of the vulnerability
  • Steps to demonstrate the vulnerability or reproduce the exploit, including specific configurations or peripherals, if relevant
  • Potential impact of the vulnerability, when exploited
  • Information on known exploits

 

A member of the UEFI Security Response Team (USRT) will review and acknowledge your e-mail and may contact you to collaborate further on resolving the issue.  A summary of the information you provide will be sent to security contacts at all Contributing Members of the UEFI forum.  This is done to insure that all our Contributing Members are aware of the issue you are reporting, can inspect their implementations to assess its effect on their code and can participate in the issue’s resolution when applicable.

The UEFI Security Response Team provides a communications conduit between security researchers or others who may discover vulnerabilities and the UEFI community (platform-specific UEFI firmware implementations, the open-source UEFI implementation, the UEFI architecture and those companies that use them in their products).  The USRT will also attempt to determine the scope of the vulnerability (Individual product implementation, industry-wide implementation, or the UEFI specification itself).  The USRT will then assist member companies in the coordination of responses to reported vulnerabilities.

We also encourage the reporting of issues directly to effected product manufacturers, when known, as well as security@uefi.org. Below is a list of email addresses and URL’s of the security contacts of various member companies.

COMPANY EMAIL URL
Absolute Software security@absolute.com https://www.absolute.com/platform/security-information/vulnerability-reporting-management/
AMD psirt@amd.com https://www.amd.com/en/corporate/contact-product-security
AMI BIOSSecurity@ami.com https://www.ami.com/security-center/
Apple product-security@apple.com https://www.apple.com/support/security/
Dell secure@dell.com https://www.dell.com/support/contents/article/product-support/self-support-knowledgebase/security-antivirus/alerts-vulnerabilities/dell-vulnerability-response-policy
Fujitsu Fujitsu-PSIRT@ts.fujitsu.com https://security.ts.fujitsu.com/
Hewlett Packard Enterprises security-alert@hpe.com https://www.hpe.com/info/report-security-vulnerability
HP Inc. hp-security-alert@hp.com https://ssl.www8.hp.com/h41268/live/index.aspx?qid=25434
Insyde Software security.report@insyde.com https://www.insyde.com/contact/reportsecurity
Intel Corp. secure@intel.com www.intel.com/security
Lenovo psirt@lenovo.com https://support.lenovo.com/product_security
Microsoft secure@microsoft.com http://www.microsoft.com/msrc
Phoenix Technologies security@phoenix.com

https://www.phoenix.com/security.html

If you discover a security vulnerability you believe is contained in the open-source Tianocore codebase, used as the basis of many UEFI implementations, we encourage you to report it to the USRT as well as following the process described at the Tianocore Reporting Security Issues link.

ETHICAL DISCLOSURE TIMING

The UEFI Forum greatly appreciates ethical disclosures of vulnerabilities by security researchers.  The USRT is eager to coordinate with security researchers and to facilitate the identification of fixes for vulnerable implementations as quickly as possible.  Please be aware that firmware takes longer to patch and update than other types of software.  There are several reasons for this:

  • UEFI firmware is unique in each system implementation
    • Firmware must be customized for each make and model of system
  • There is no single implementer
    • Each OEM is responsible for patching and re-building the firmware images for each of their affected machines
    • OEM’s frequently perform extensive QA testing on images before approving them for release
  • Once the OEM develops and posts a new firmware image, typically, end users must proactively find it, download it, and install it
    • There is no existing mechanism to push firmware updates onto most mainstream computers. Because of this, adoption rates can be low
    • The UEFI Forum and USRT are working with our members to develop various improved mechanisms for delivery of firmware updates.

Because of these special aspects of the firmware updating process, the appropriate delay before ethical public disclosure of a vulnerability is often longer than for other types of software.  Please keep this in mind when working with the USRT to coordinate public disclosure dates.

TELEPHONE CONTACT

If you wish to report an issue or contact the USRT by telephone, please call the UEFI Forum Administrator at +1 503-619-0864.

Thank you for reporting your findings to the USRT.