[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Predisclosure-applications] Inclusion in the Xen Security pre-disclosure list


thanks for the feedback.

For the "obtaining a quote":

Or basic offerings (shared hosting, domain names, …) are available via online ordering forms, but we don't have an online ordering process for VM's. Our business is managed enterprise hosting, including the sizing and layout of which VM's are needed, the setup, daily maintenance, patching, etc. This ranges from one VM up to "private cloud" (multiple VMs on several dedicated servers for a single client). Every offer is different, and is made to match the needs of the customer. It isn't possible to order an "off-the-shelve unmanaged vm" with us.

People contact us to arrange a meeting, and get a quote. On every page describing the various products we offer, we have a call-to-action at the bottom to get in touch with us: http://www.openminds.be/en/cloud-hosting (the big orange box at the bottom of the page). I hope this is sufficient (it works for our business, as we have clients, and get contacted to make quotes…;-) ). On the contact-us page is an additional sales mail address linked.

Contacting us concerning security-issues:

Our contact info in linked on each page (top navigation bar, "contact"), and detailed contact info is available here http://www.openminds.be/en/contact. There is a small paragraph concerning security-issues. Besides this, our clients have contracts with us, and part of the contract is our AUP, which contains a section about security - "if they discover something which is out of the ordinary, they should get in contact" summarized.

The tech@ alias:

You can change the tech@ alias to the security@ alias, if you want. The non-disclosere nature will be communicated to all engineers upon inclusion in the list. The amount of people actually seeing the ticket is about the same, an average of 8 to 10 people would receive the mail.

Technically, both aliases will work, but the tech@ mails needs to be converted to a ticket, after an engineer decides the security-issues described are affecting our systems and/or customers. We use the tech@ for our subscription to Debian/Ubuntu Security mailings, some security-related mailing lists, etc. The security@ is an alias to the support-system, and will immediately create a ticket in our systems (which can then be closed if we aren't affected).

I hope this clarifies our application.

Kind regards,
Bernard Grymonpon
Openminds BVBA

On 03 Mar 2015, at 17:10, Ian Campbell <ijc@xxxxxxx> wrote:

On Mon, 2015-03-02 at 17:05 +0100, Bernard Grymonpon wrote:
we would like to be included in the Xen pre-disclosure list.

Thank you for your application.

The security policy[0] requires "Link(s) to current public web pages,
belonging to your organisation," for each piece of information.

Please could you point us to the page which describes how one can obtain
a quote from you.

With regards to "Your invitation to members of the public, who discover
security problems with your products/services, to report them in
confidence to you;" and "Specifically, the contact information (email
addresses or other contact instructions) which such a member of the
public should use." please can you point us to such a page. I'm afraid
that the policy requires this.

Please can you provide this information so that we may continue to
process your application.

Please could you also clarify the scope of your tech@ alias. It is
intended that predisclosures go to a small team dedicated to handling
incoming security issues, rather than a large team of system


[0] http://www.xenproject.org/security-policy.html

Predisclosure-applications mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.