Add security policy for file syncing (#103)

Author: spbrogan

.sync/Files.yml

@@ -276,6 +276,27 @@ group:
       microsoft/mu_silicon_intel_tiano
       microsoft/mu_tiano_plus
 
+# GitHub Templates - Security Policy
+  - files:
+    - source: .sync/github_templates/security/SECURITY.md
+      dest: SECURITY.md
+    repos: |
+      microsoft/mu
+      microsoft/mu_basecore
+      microsoft/mu_common_intel_min_platform
+      microsoft/mu_crypto_release
+      microsoft/mu_feature_config
+      microsoft/mu_feature_dfci
+      microsoft/mu_feature_ipmi
+      microsoft/mu_feature_mm_supv
+      microsoft/mu_feature_uefi_variable
+      microsoft/mu_oem_sample
+      microsoft/mu_plus
+      microsoft/mu_silicon_arm_tiano
+      microsoft/mu_silicon_intel_tiano
+      microsoft/mu_tiano_platforms
+      microsoft/mu_tiano_plus
+
 # Leaf Workflow - Apply Labels
   - files:
     - source: .sync/workflows/leaf/label-issues.yml

.sync/github_templates/contributing/CONTRIBUTING.md

@@ -18,6 +18,11 @@ section of the relevant Project Mu GitHub repo.
 Every Project Mu repo has an `Issues` section. Bug reports, feature requests, and documentation requests can all be
 submitted in the issues section.
 
+## Security Vulnerabilities
+
+Please review the repos `Security Policy` but in general every Project Mu repo has `Private vulnerability reporting`
+enabled.  Please use the security tab to report a potential issue.  
+
 ### Identify Where to Report
 
 Project Mu is distributed across multiple repositories. Use features such as issues and discussions in the repository

.sync/github_templates/security/SECURITY.md

@@ -0,0 +1,41 @@
+# Project Mu Security Policy
+
+Project Mu is an open source firmware project that is leveraged by and combined into
+other projects to build the firmware for a given product.  We build and maintain this
+code with the intent that any consuming projects can use this code as-is.  If features
+or fixes are necessary we ask that they contribute them back to the project.  **But**, that
+said, in the firmware ecosystem there is a lot of variation and differentiation, and
+the license in this project allows flexibility for use without contribution back to
+Project Mu. Therefore, any issues found here may or may not exist in products using Project Mu.  
+
+
+## Supported Versions
+
+Due to the usage model we generally only supply fixes to the most recent release branch (or main).
+For a serious vulnerability we may patch older release branches.
+
+## Additional Notes
+
+Project Mu contains code that is available and/or originally authored in other
+repositories (see <https://github.com/tianocore/edk2> as one such example).  For any
+vulnerability found, we may be subject to their security policy and may need to work
+with those groups to resolve amicably and patch the "upstream".  This might involve 
+additional time to release and/or additional confidentiality requirements.
+
+## Reporting a Vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead please use **Github Private vulnerability reporting**, which is enabled for each Project Mu
+repository. This process is well documented by github in their documentation [here](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability).
+
+This process will allow us to privately discuss the issue, collaborate on a solution, and then disclose the vulnerability.
+
+
+## Preferred Languages
+
+We prefer all communications to be in English.
+
+## Policy
+
+Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://www.microsoft.com/en-us/msrc/cvd).