[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Predisclosure-applications] Inclusion in the Xen Security pre-disclosure list

Thanks. Your application appears to now all be in order and you have
been subscribed to the predisclosure list. I have sent copies of the
existing embargoed issues 119, 120, 121, 122, 123 and 124.

Ian.

On Wed, 2015-03-04 at 14:55 +0100, Bernard Grymonpon wrote:
> Ian,
> 
> 
> thanks for the feedback.
> 
> 
> For the "obtaining a quote":
> 
> 
> Or basic offerings (shared hosting, domain names, â) are available via
> online ordering forms, but we don't have an online ordering process
> for VM's. Our business is managed enterprise hosting, including the
> sizing and layout of which VM's are needed, the setup, daily
> maintenance, patching, etc. This ranges from one VM up to "private
> cloud" (multiple VMs on several dedicated servers for a single
> client). Every offer is different, and is made to match the needs of
> the customer. It isn't possible to order an "off-the-shelve unmanaged
> vm" with us.
> 
> 
> People contact us to arrange a meeting, and get a quote. On every page
> describing the various products we offer, we have a call-to-action at
> the bottom to get in touch with
> us: http://www.openminds.be/en/cloud-hosting (the big orange box at
> the bottom of the page). I hope this is sufficient (it works for our
> business, as we have clients, and get contacted to make quotesâ;-) ).
> On the contact-us page is an additional sales mail address linked.
> 
> 
> Contacting us concerning security-issues:
> 
> 
> Our contact info in linked on each page (top navigation bar,
> "contact"), and detailed contact info is available
> here http://www.openminds.be/en/contact. There is a small paragraph
> concerning security-issues. Besides this, our clients have contracts
> with us, and part of the contract is our AUP, which contains a section
> about security - "if they discover something which is out of the
> ordinary, they should get in contact" summarized.
> 
> 
> The tech@ alias:
> 
> 
> You can change the tech@ alias to the security@ alias, if you want.
> The non-disclosere nature will be communicated to all engineers upon
> inclusion in the list. The amount of people actually seeing the ticket
> is about the same, an average of 8 to 10 people would receive the
> mail.
> 
> 
> Technically, both aliases will work, but the tech@ mails needs to be
> converted to a ticket, after an engineer decides the security-issues
> described are affecting our systems and/or customers. We use the tech@
> for our subscription to Debian/Ubuntu Security mailings, some
> security-related mailing lists, etc. The security@ is an alias to the
> support-system, and will immediately create a ticket in our systems
> (which can then be closed if we aren't affected).
> 
> 
> I hope this clarifies our application.
> 
> 
> Kind regards,
> Bernard Grymonpon
> Openminds BVBA
> 
> On 03 Mar 2015, at 17:10, Ian Campbell <ijc@xxxxxxx> wrote:
> 
> > On Mon, 2015-03-02 at 17:05 +0100, Bernard Grymonpon wrote:
> > > we would like to be included in the Xen pre-disclosure list. 
> > 
> > Thank you for your application.
> > 
> > The security policy[0] requires "Link(s) to current public web
> > pages,
> > belonging to your organisation," for each piece of information.
> > 
> > Please could you point us to the page which describes how one can
> > obtain
> > a quote from you.
> > 
> > With regards to "Your invitation to members of the public, who
> > discover
> > security problems with your products/services, to report them in
> > confidence to you;" and "Specifically, the contact information
> > (email
> > addresses or other contact instructions) which such a member of the
> > public should use." please can you point us to such a page. I'm
> > afraid
> > that the policy requires this.
> > 
> > Please can you provide this information so that we may continue to
> > process your application.
> > 
> > Please could you also clarify the scope of your tech@ alias. It is
> > intended that predisclosures go to a small team dedicated to
> > handling
> > incoming security issues, rather than a large team of system
> > administrators.
> > 
> > Thanks,
> > Ian.
> > 
> > [0] http://www.xenproject.org/security-policy.html
> > 
> > 
> > 
> 
> _______________________________________________
> Predisclosure-applications mailing list
> Predisclosure-applications@xxxxxxxxxxxxxxxxxxxx
> http://lists.xenproject.org/cgi-bin/mailman/listinfo/predisclosure-applications



_______________________________________________
Predisclosure-applications mailing list
Predisclosure-applications@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/predisclosure-applications

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.