[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Predisclosure-applications] Application for predisclosure list from CloudLinux Inc

Thank you, 

this all appears to be in order. 

I have subscribed xen-predisclosure@xxxxxxxxxxxxxx to the lists and will send 
copies of the currently embargoed issues XSA-175, -176 and -178 to that alias. 
http://xenbits.xen.org/xsa/ has an overview of the (public) information about 
all XSAs. 

Regards, 
Lars.

> On 11 May 2016, at 21:46, Igor Seletskiy <i@xxxxxxxxxxxxxx> wrote:
> 
> Hello,
> 
> I just wanted to check that application was received, and you don't need any 
> additional info.
> 
> 
> Regards,
> Igor Seletskiy |  CEO
> Skype: iseletsk
> <we-are-cloudlinux.png>
> CloudLinux.com  |  KernelCare.com  |  KuberDock.com 
> 
> helpdesk.cloudlinux.com: 24/7 Free, exceptionally good support
> Follow twitter.com/CloudLinuxOS for technical updates
> 
> 
> On Thu, Apr 28, 2016 at 8:40 AM, Igor Seletskiy <i@xxxxxxxxxxxxxx> wrote:
> Lars,
> 
> Thank you very much. Please, find updated application. Hopefully all the 
> issues are addressed.
>       • The name of your organization
> Cloud Linux Inc. (cloudlinux.com)
>       • Domain name(s) which you use to provide Xen software/services
> https://cloudlinux.com/all-products/product-overview/kernelcare
> https://cloudlinux.com/kernelcare-supported-kernels
>       • A brief description of why you fit the criteria
> KernelCare is a rebootless kernel updates service, that using technology 
> similar to ksplice & livepatch patches vulnerabilities in running kernels 
> without the need for reboot. It is our wish to start providing kernel 
> patching for Xen4CentOS kernels, and we believe that being on predisclosure 
> list would let us have binary patches prepared in advance - so we can 
> distribute them right after public announcement.
> 
>       • If not all of your products/services use Xen, a list of (some of) 
> your products/services (or categories thereof) which do.
> KernelCare provides patching for Xen4CentOS kernels:
> https://cloudlinux.com/kernelcare-supported-kernels
> http://patches.kernelcare.com/
>    Please, choose Virt-SIG/Xen4CentOS 6 (as well as 7) to see kernels that 
> are currently supported.
> 
>       • Link(s) to current public web pages, belonging to your organisation, 
> for each of following pieces of information:
>               • Evidence of your status as a service/software provider:
>                       • If you are a software provider, how your software can 
> be downloaded or purchased
> We are software provider, our software can be ordered/trialed from this page:
> https://cloudlinux.com/kernelcare-free-trial5
> or purchased here:
> https://cln.cloudlinux.com/clweb/kc/kc_cart.html
> 
>               • Evidence of your status as a user/distributor of Xen:
>                       • Statements about, or descriptions of, your eligible 
> production services or released software, from which it is immediately 
> evident that they use Xen.
> Please, find links to supported Xen4CentOS kernels here:
> http://patches.kernelcare.com/ by selecting Virt-SIG/Xen4CentOS 6 (as well as 
> 7)
> Few examples of supported kernels:
> http://patches.kernelcare.com/5c4356639a8d7acbb3002f70f85312e61f44a9b9/2/kpatch.html
> http://patches.kernelcare.com/a996c266d9751a4217759d92dc7d379b96fe685e/2/kpatch.html
> Whitepaper on how service works in HTML format can be found here:
> http://kernelcare.com/white-pape.php
>               • Information about your handling of security problems:
>                       • Your invitation to members of the public, who 
> discover security problems with your products/services, to report them in 
> confidence to you;
> https://www.cloudlinux.com/vulnerability-reporting
>                       • Specifically, the contact information (email 
> addresses or other contact instructions) which such a member of the public 
> should use.
> security@xxxxxxxxxxxxxx
> Blog postings, conference presentations, social media pages, Flash 
> presentations, videos, sites which require registration, anything 
> password-protected, etc., are not acceptable. PDFs of reasonable size are 
> acceptable so long as the URL you provide is of a ordinary HTML page 
> providing a link to the PDF.
> 
> If the pages are long and/or PDFs are involved, your email should say which 
> part of the pages and documents are relevant.
> 
>       • A statement to the effect that you have read this policy and agree to 
> abide by the terms for inclusion in the list, specifically the requirements 
> to regarding confidentiality during an embargo period
> I have read and understand xenproject security policy, and agree to abide by 
> the terms. I specifically agree to confidentiality requirement during embargo 
> period.
>       • The single (non-personal) email alias you wish added to the 
> predisclosure list
> xen-predisclosure@xxxxxxxxxxxxxx
> 
> Regards,
> Igor Seletskiy |  CEO
> Skype: iseletsk
> <we-are-cloudlinux.png>
> CloudLinux.com  |  KernelCare.com  |  KuberDock.com 
> 
> helpdesk.cloudlinux.com: 24/7 Free, exceptionally good support
> Follow twitter.com/CloudLinuxOS for technical updates
> 
> 
> On Fri, Apr 22, 2016 at 11:03 AM, Lars Kurth <lars.kurth.xen@xxxxxxxxx> wrote:
> Igor,
> 
> apologies for the delay. We somehow missed your application.
> 
> Igor Seletskiy writes ("[Predisclosure-applications] Application for 
> predisclosure list from CloudLinux Inc"):
> > * KernelCare is a rebootless kernel updates service, that using
> > technology similar to ksplice & livepatch patches vulnerabilities in
> > running kernels without the need for reboot. It is our wish to start
> > providing kernel patching for Xen4CentOS kernels, and we believe
> > that being on predisclosure list would let us have binary patches
> > prepared in advance - so we can distribute them right after public
> > announcement.
> >
> > * KernelCare is the product that patches Xen kernels
> 
> We think this means you are applying in one of these two (somewhat
> overlapping) categories, from the policy:
> 
> * Vendors of Xen-based systems;
> * Distributors of operating systems with Xen support.
> 
> We understand that your service distributes Linux kernel patches to
> your users.  This is confirmed by this url from your mail:
> 
> > - http://www.streetinsider.com/Press+Releases/
> > KernelCare+Now+Support+Proxmox+VE+Servers+with+Rebootless+Security+Updates/
> > 11115997.html
> 
> Given that we sometimes issue advisories for Xen-related kernel bugs,
> it seems appropriate for a kernel update distributor such as
> yourselves to qualify in the same way that a Xen hypervisor update
> distributor would do, provided that you support (provide patches for)
> the Xen features in those kernels.
> 
> 
> Unfortunately we were not able to find in your mail a reference to a
> qualifying web page which mentions that you support those Xen
> features.  The policy requires us to look for:
> 
>  Evidence of your status as a user/distributor of Xen:
> 
>     * Statements about, or descriptions of, your eligible production
>       services or released software, from which it is immediately
>       evident that they use Xen.
> 
> In the context of a service such as yours, we think that this means
> that it must be immediately evident that you provide patches for
> installations of the applicable kernels _which are using Xen_.
> 
> 
> Additionally, the policy requires you to provide a URL for:
> 
>   Information about your handling of security problems:
> 
>     * Your invitation to members of the public, who discover security
>       problems with your products/services, to report them in confidence
>       to you;
> 
>     * Specifically, the contact information (email addresses or
>       other contact instructions) which such a member of the public
>       should use.
> 
> We didn't see this in your email.
> 
> 
> There were a few URLs in your message which we have not been able to
> consider:
> 
> >> * kernelcare.com - we are a software vendor that provides software to apply
> > security patches for running kernels without reboot for large number of 
> > linux
> > distributions. The software is used on 50,000+ servers by various 
> > enterprises
> > and service providers.
> > -- whitepaper: http://kernelcare.com/2.0/whitepaper.pdf
> 
> I viewed this whitepaper in the mupdf and evince PDF viewers in Debian
> wheezy and much of it seems to be blank or inaccessible. Could you please
> attach the PDF.
> 
> > -- kernelcare blog posts: https://www.cloudlinux.com/kernelcare-blog
> 
> The policy precludes us from looking at blog posts.
> 
> > - http://www.thehostingnews.com/
> > cloudlinux-announces-kernelcare-com-rebootless-kernel-update-service-31190.html
> 
> The policy requires us to look at only your own public web pages.
> 
> Please do resubmit your application with URLs to the further required
> information, as and when you that available.
> 
> 
> Thanks,
> Lars and Ian
> 
> 
> > On 18 Apr 2016, at 18:58, Igor Seletskiy <i@xxxxxxxxxxxxxx> wrote:
> >
> > Hello,
> >
> > We have never received the answer. It would be great if we could get the 
> > access.
> > KernelCare now supports Xen4CentOS kernels, and it would help us & our 
> > clients a lot if we would get advance notice about vulnerabilities.
> >
> >
> > Regards,
> > Igor Seletskiy |  CEO
> > Skype: iseletsk
> > <we-are-cloudlinux.png>
> > CloudLinux.com  |  KernelCare.com  |  KuberDock.com
> >
> > helpdesk.cloudlinux.com: 24/7 Free, exceptionally good support
> > Follow twitter.com/CloudLinuxOS for technical updates
> >
> 
> 
> 


_______________________________________________
Predisclosure-applications mailing list
Predisclosure-applications@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/predisclosure-applications

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.