Xen project Mailing List

Re: [Predisclosure-applications] Pre-disclosure mailing list application for Schuberg Philis

To: Alexander Kaasjager <AKaasjager@xxxxxxxxxxxxxxxxxx>

From: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>

Date: Mon, 13 Apr 2015 13:13:01 +0100

Cc: predisclosure-applications@xxxxxxxxxxxxxxxxxxxx, int-sec <int-sec@xxxxxxxxxxxxxxxxxx>

Delivery-date: Mon, 13 Apr 2015 12:13:08 +0000

List-id: Applications for membership of Xen Security Advisories Pre-disclosure List <predisclosure-applications.lists.xenproject.org>

Alexander Kaasjager writes ("[Predisclosure-applications] Pre-disclosure mailing list application for Schuberg Philis"): > Schuberg Philis Thanks for your mail. We are sorry to say that your application did not contain all the required information. We are not permitted to waive the requirements of the the Xen Project Security Policy, which is defined by the Xen Project community as a whole. We deal with the specific points in your application in more detail below. Please do feel free to renew your application when you have urls for public web pages, belonging to your organisation, which contain the evidence and information required by the policy. > 1. we are a service provider for mission critical systems, with a > guaranteed availability of 100%. A fast-growing number of these services > rely heavily on a Cloudstack+Xen architecture, both as shared amongst > customers, and as a private cloud. For our customers (including large > financial institutions, energy trading, and the second largest retailer in > the country), not just agility and reliability are important, but strong > security as well. This status would, if your application were accompanied by the required information, qualify you for membership of the predisclosure list. > 2. we are actively participating in the development and âmarketingâ of > Cloudstack, not only because we rely on it for our cloud services, but as > much as a way to ârepayâ the Open Source community for their > contributions. (We refer to this as 'co-creationâ, a major part of the way > we work.) The primary, if not the only, environment we run Cloudstack on > being Xen, requires us to be as much ahead of any issues with either > platform as possible. Thanks. The Xen Project appreciates your contributions. However this would not qualify you as a software provider for the purposes of the Xen Project Security Policy. We have therefore considered your application on the basis of your status as a service provider. > * Evidence of your status as a service/software provider: > > Giving quotes is difficult, as we build highly customised solutions. > However, please feel free to request information on this via our Sales > team: > https://schubergphilis.com/contact Unfortunately, that is just a contact form. The Xen Project policy requires that the evidence must be provided on the web pages whose urls you quote. > Although we are not a software vendor, our contributions to Cloudstack can > be verified at Github: > https://github.com/apache/cloudstack > https://github.com/schubergphilis/ The Xen Project policy specifically requires that the evidence be on web pages belonging to your organisation, so we must disregard the Apache Cloudstack URL. It is questionable whether a github page for your company is a `current public web [page], belonging to your organisation'. But even if it is, the page does not (as far as we can see) provide evidence of your status as a service provider. > And the cloudstack mailing list (search for 'Hugo Trippaersâ): > http://markmail.org/search/list:org.apache.incubator.cloudstack-*?q=hugo+tr > ippaers > Hugo is both an Apache Cloudstack PMC and employed as a Mission Critical > Engineer by Schuberg Philis: > https://www.linkedin.com/profile/view?id=2139236&authType=NAME_SEARCH&authT > oken=jKw8&locale=en_US&trk=tyah&trkInfo=clickedVertical%3Amynetwork%2Cidx%3 > A1-1-1%2CtarId%3A1427904593052%2Ctas%3Ahugo+tr > > Hugo as part of the PMC team, at the Apache site: > https://cloudstack.apache.org/who.html None of these URLs are `current public web pages, belonging to your organisation'. We are therefore unable to consider them. > Hugo as an engineer at Schuberg Philis: > https://schubergphilis.com/team That page does not, as far as we can see, provide evidence of your status as a service provider. > Also, we have a number of technical blog posts on how we use > Cloudstack+Xen (search for 'Xen'): > https://www.cupfighter.net/search The Xen Project Security Policy specifically excludes reliance on blog posts as evidence. We are therefore unable to consider this. (Note that although your email didn't explicitly mention the requirement for * Evidence of your status as a user/distributor of Xen although some of your responses above appear to be trying to address this.) > Information about your handling of security problems > ===================================== > *Reporting security issues: > We run a very active Responsible Disclosure program at > https://www.schubergphilis.com/2012/12/11/responsible-disclosure This appears AFAICT to be some kind of blog index page. Just for the avoidance of doubt, here is what I see in my web browser (after scrolling down): http://www.chiark.greenend.org.uk/~ijackson/2015/www.schubergphilis.com.png > * Agreement to policy > * The single (non-personal) email alias you wish added to the > predisclosure list. Thanks, your responses to these points seem to be in order. Regards, Ian. (on behalf of the Xen Project Security Team.) _______________________________________________ Predisclosure-applications mailing list Predisclosure-applications@xxxxxxxxxxxxxxxxxxxx http://lists.xenproject.org/cgi-bin/mailman/listinfo/predisclosure-applications

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.