[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Predisclosure-applications] Application for predisclosure list from CloudLinux Inc



Lars,

Thank you very much. Please, find updated application. Hopefully all the issues are addressed.
  • The name of your organization
    Cloud Linux Inc. (cloudlinux.com)
  • Domain name(s) which you use to provide Xen software/services
    https://cloudlinux.com/all-products/product-overview/kernelcare
    https://cloudlinux.com/kernelcare-supported-kernels
  • A brief description of why you fit the criteria
    KernelCare is a rebootless kernel updates service, that using technology similar to ksplice & livepatch patches vulnerabilities in running kernels without the need for reboot. It is our wish to start providing kernel patching for Xen4CentOS kernels, and we believe that being on predisclosure list would let us have binary patches prepared in advance - so we can distribute them right after public announcement.

  • If not all of your products/services use Xen, a list of (some of) your products/services (or categories thereof) which do.
    KernelCare provides patching for Xen4CentOS kernels:
    https://cloudlinux.com/kernelcare-supported-kernels
    http://patches.kernelcare.com/
       Please, choose Virt-SIG/Xen4CentOS 6 (as well as 7) to see kernels that are currently supported.

  • Link(s) to current public web pages, belonging to your organisation, for each of following pieces of information:

    If the pages are long and/or PDFs are involved, your email should say which part of the pages and documents are relevant.

  • A statement to the effect that you have read this policy and agree to abide by the terms for inclusion in the list, specifically the requirements to regarding confidentiality during an embargo period
    I have read and understand xenproject security policy, and agree to abide by the terms. I specifically agree to confidentiality requirement during embargo period.
  • The single (non-personal) email alias you wish added to the predisclosure list
    xen-predisclosure@xxxxxxxxxxxxxx

Regards,
Igor Seletskiy |  CEO
Skype: iseletsk

CloudLinux.com  |  KernelCare.com  |  KuberDock.com 

helpdesk.cloudlinux.com: 24/7 Free, exceptionally good support
Follow twitter.com/CloudLinuxOS for technical updates


On Fri, Apr 22, 2016 at 11:03 AM, Lars Kurth <lars.kurth.xen@xxxxxxxxx> wrote:
Igor,

apologies for the delay. We somehow missed your application.

Igor Seletskiy writes ("[Predisclosure-applications] Application for predisclosure list from CloudLinux Inc"):
> * KernelCare is a rebootless kernel updates service, that using
> technology similar to ksplice & livepatch patches vulnerabilities in
> running kernels without the need for reboot. It is our wish to start
> providing kernel patching for Xen4CentOS kernels, and we believe
> that being on predisclosure list would let us have binary patches
> prepared in advance - so we can distribute them right after public
> announcement.
>
> * KernelCare is the product that patches Xen kernels

We think this means you are applying in one of these two (somewhat
overlapping) categories, from the policy:

* Vendors of Xen-based systems;
* Distributors of operating systems with Xen support.

We understand that your service distributes Linux kernel patches to
your users.  This is confirmed by this url from your mail:

> - http://www.streetinsider.com/Press+Releases/
> KernelCare+Now+Support+Proxmox+VE+Servers+with+Rebootless+Security+Updates/
> 11115997.html

Given that we sometimes issue advisories for Xen-related kernel bugs,
it seems appropriate for a kernel update distributor such as
yourselves to qualify in the same way that a Xen hypervisor update
distributor would do, provided that you support (provide patches for)
the Xen features in those kernels.


Unfortunately we were not able to find in your mail a reference to a
qualifying web page which mentions that you support those Xen
features.  The policy requires us to look for:

 Evidence of your status as a user/distributor of Xen:

    * Statements about, or descriptions of, your eligible production
      services or released software, from which it is immediately
      evident that they use Xen.

In the context of a service such as yours, we think that this means
that it must be immediately evident that you provide patches for
installations of the applicable kernels _which are using Xen_.


Additionally, the policy requires you to provide a URL for:

  Information about your handling of security problems:

    * Your invitation to members of the public, who discover security
      problems with your products/services, to report them in confidence
      to you;

    * Specifically, the contact information (email addresses or
      other contact instructions) which such a member of the public
      should use.

We didn't see this in your email.


There were a few URLs in your message which we have not been able to
consider:

>> * kernelcare.com - we are a software vendor that provides software to apply
> security patches for running kernels without reboot for large number of linux
> distributions. The software is used on 50,000+ servers by various enterprises
> and service providers.
> -- whitepaper: http://kernelcare.com/2.0/whitepaper.pdf

I viewed this whitepaper in the mupdf and evince PDF viewers in Debian
wheezy and much of it seems to be blank or inaccessible. Could you please
attach the PDF.

> -- kernelcare blog posts: https://www.cloudlinux.com/kernelcare-blog

The policy precludes us from looking at blog posts.

> - http://www.thehostingnews.com/
> cloudlinux-announces-kernelcare-com-rebootless-kernel-update-service-31190.html

The policy requires us to look at only your own public web pages.

Please do resubmit your application with URLs to the further required
information, as and when you that available.


Thanks,
Lars and Ian


> On 18 Apr 2016, at 18:58, Igor Seletskiy <i@xxxxxxxxxxxxxx> wrote:
>
> Hello,
>
> We have never received the answer. It would be great if we could get the access.
> KernelCare now supports Xen4CentOS kernels, and it would help us & our clients a lot if we would get advance notice about vulnerabilities.
>
>
> Regards,
> Igor Seletskiy |  CEO
> Skype: iseletsk
> <we-are-cloudlinux.png>
> CloudLinux.com  |  KernelCare.com  |  KuberDock.com
>
> helpdesk.cloudlinux.com: 24/7 Free, exceptionally good support
> Follow twitter.com/CloudLinuxOS for technical updates
>


_______________________________________________
Predisclosure-applications mailing list
Predisclosure-applications@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/predisclosure-applications

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.