[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Predisclosure-applications] Predisclosure application for HostPapa



Hi George,

Thanks for getting back to us, the necessary changes have been made on https://www.hostpapa.com/about-hostpapa/

The additional content is:

--
Security concerns, enquiries or notifications:

We're committed to making the web as safe as possible. If you have any concerns regarding security at HostPapa, or would like to disclose any security issues you may have discovered with our hosting platform, please reach out to us via security@xxxxxxxxxxxx.
--

Thanks,
Vince.


On Tue, Apr 4, 2017 at 2:28 PM, George Dunlap <george.dunlap@xxxxxxxxxx> wrote:
On 24/03/17 15:21, Stratful, Vince wrote:
> Hi all,
>
> My name is Vince Stratful, I'm the CTO for HostPapa. We sell VPS' to end
> users using Xen via http://www.hostpapa.com, .ca, .co.uk, etc.
>
> I believe HostPapa fits the predisclosure criteria because we're a hosting
> company that uses Xen to provide our services. Not all of our products
> utilize Xen, but we do exclusively use Xen for our VPS products.
>
> Evidence of our status as a hosting services provider:
> https://www.hostpapa.com/web-hosting-plan/vps-hosting/
>
> Evidence of our status as a user of Xen:
> https://www.hostpapa.com/web-hosting-plan/vps-hosting/ - in the "Managed
> VPS" hover in each of the plan descriptions we mention that Xen is used as
> our hypervisor.
> https://www.hostpapa.com/web-hosting-plan/vps-hosting/detailed-specs/ - on
> our detailed-specs break down, we mention Xen again.
>
> Information about our security policies:
> Not publicly available, in our support center clients are given multiple
> avenues to contact us regarding security and abuse issues.
>
> Security contact address:
> security@xxxxxxxxxxxx
>
> I have read the policy located at https://www.xenproject.org/
> security-policy.html in full and agree to abide by the terms for inclusion
> in the list. I understand that discretion and confidentiality during an
> embargo period is of the utmost importance.

Vince,

Thanks for your application.  Nearly everything looks to be in order,
except for one item from the XenProject Security Policy:

"Your invitation to members of the public, who discover security
problems with your products/services, to report them in confidence to you"

The policy says that the invitation must be to "members of the public",
not customers.  This means that there must at least an invitation on
some publicly accessible web page; so you do not (yet) meet the criteria.

You might consider, for instance, adding a section to
https://www.hostpapa.com/about-hostpapa/ about reporting security problems.

Hope to hear from you again soon.

Thanks,

-George Dunlap
 on behalf of the XenProject Security Team




--
Vince Stratful
Chief Technology Officer
HostPapa, Inc.

Phone: (905) 315-3455
Toll-Free (888) 959-PAPA (7272)
_______________________________________________
Predisclosure-applications mailing list
Predisclosure-applications@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/cgi-bin/mailman/listinfo/predisclosure-applications

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.