Xen project Mailing List

Re: [Predisclosure-applications] NetApp pre-disclosure list application

To: "Hazinski, Matt" <Matt.Hazinski@xxxxxxxxxx>

From: Ian Jackson <ian.jackson@xxxxxxxxxxxxx>

Date: Thu, 20 Apr 2017 15:29:26 +0100

Cc: "predisclosure-applications@xxxxxxxxxxxxxxxxxxxx" <predisclosure-applications@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Thu, 20 Apr 2017 14:30:12 +0000

List-id: Applications for membership of Xen Security Advisories Pre-disclosure List <predisclosure-applications.lists.xenproject.org>

Hazinski, Matt writes ("[Predisclosure-applications] NetApp pre-disclosure list application"): > I’d like to request inclusion of NetApp (https://netapp.com) on the Xen > pre-disclosure list. NetApp is a leading storage software provider which > distributes a modified version of Xen Server as part of our E-Series > SANtricity OS version 11.30 for E2800 controller platforms. We also provide > XenCenter Client plug-ins, such as Virtual Storage Console for Citrix > XenServer. Hi. Thanks for your mail. > Instructions on purchasing our software can be found here: > http://www.netapp.com/us/how-to-buy/index.aspx This seems to us to meet the requirements of the policy. > We mention our use of Xen Server in our NOTICE file linked from: > https://mysupport.netapp.com/documentation/docweb/index.html?productID=62264&language=en-US > (search for “Xen” in page 46, 48, 51 of the “Notice (OS Bundle)” pdf). We > also publish some of our modified Xen source at: > ftp://ftp.netapp.com/frm-ntap/opensource/ESeriesFW/v11.30/xen-4.4.1.tar.gz ; > (NetApp’s changes are in > debian/patches/debian-changes-4.4.1-9+deb8u8+ntap3945). Hi. Thanks. I'm afraid the first URL is not accessible without logging in. We are specifically forbidden by the policy from taking into account any pages which "require registration" or are "password-protected". The second URL is not a "web page" as the policy requires; and it is not "immediately evident" from the provision of that source code that your current products use Xen. > Documentation of our XenCenter Client plug-ins is available here: > https://mysupport.netapp.com/documentation/docweb/index.html?productID=61792&language=en-US I'm afraid it is not obvious from at least the first of those documents whether NetApp actually distribute Xen, or simply provide a separate plugin for it. > Information about our handling of security reports can be found at the > following links: > - http://www.netapp.com/us/legal/security/contact/index.aspx > - http://www.netapp.com/us/legal/security/policy/vulnerability-response.aspx This seems to us to meet the requirements of the policy. > Please use xdl-ext-security-notices@xxxxxxxxxx for the pre-disclosure list. > This is an internal alias only accessible by our Product Security team. > > We have read this pre-disclosure policy and agree to abide by the terms for > inclusion in the list, including the requirements regarding confidentiality > during an embargo period. > > Let me know if any additional information is required. Thanks. If you would like to resubmit your application with different urls evidencing your use of Xen, we'd be happy to consider it. It might be helpful for you to re-review the policy requirements before doing so. Regards, Ian. (on behalf of the Xen Project Security Team.) _______________________________________________ Predisclosure-applications mailing list Predisclosure-applications@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/cgi-bin/mailman/listinfo/predisclosure-applications

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.