Xen project Mailing List

Re: [Predisclosure-applications] Pre-disclosure Application

To: <predisclosure-applications@xxxxxxxxxxxxxxxxxxxx>, Sean Mahoney <smahoney@xxxxxxxxxx>

From: George Dunlap <george.dunlap@xxxxxxxxxx>

Date: Thu, 8 Mar 2018 17:40:47 +0000

Delivery-date: Thu, 08 Mar 2018 17:40:58 +0000

List-id: Applications for membership of Xen Security Advisories Pre-disclosure List <predisclosure-applications.lists.xenproject.org>

Sean, Thanks for your application, and sorry it's taken so long to get back to you. On 01/03/2018 08:51 PM, Sean Mahoney wrote: > Good Day, > > We are applying for predisclosure advisories for our organization. > > Name: Choopa Hosting > > Domains: choopa.com constant.com reliableservers.com > > Description: We are a managed service provider that has a number of > supported users that use Xen in their deployments. > > All of our Xen services are Xenserver on dedicated hardware, located in > our Piscataway, NJ facility. Hmm -- so as far as I can tell, your company doesn't provide VMs. You provide physical boxes and help your customers install and manage the software that runs on them; if they want Windows Server or CentOS or Ubuntu or whatever, you'll help them install it; and XenServer is one of your offerings. Is that a correct understanding? I don't think you fit cleanly into any of the categories listed in the security policy. "Hosting provider" was meant to mean "VM hosting", not "physical machine hosting". I'm assuming that your customers have access to the xapi / dom0 on the systems you provide. Can you describe why you think you need to be on the security list, rather than just helping your customers download XenServer updates the normal way when the issue goes public? Question of whether you qualify aside, there are a few problems with the application as you've made it: > A few of our hardware offerings can be found here: > > https://www.constant.com/servers/ > > https://www.choopa.com/servers/ None of the links provided mention Xen, so your application doesn't meet this requirement: "Evidence of your status as a user/distributor of Xen: Statements about, or descriptions of, your eligible production services or released software, from which it is immediately evident that they use Xen." > Security issues can be reported with our publicly available contact info > @ https://www.choopa.com/corporate/contact.php Nothing on this page says anything about security, so your application doesn't meet this requirement: "Your invitation to members of the public, who discover security problems with your products/services, to report them in confidence to you; Specifically, the contact information (email addresses or other contact instructions) which such a member of the public should use." Thanks, -George _______________________________________________ Predisclosure-applications mailing list Predisclosure-applications@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/predisclosure-applications

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.