[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Predisclosure-applications] XCP-ng predisclosure list application

Hi Olivier,

thanks for the submission and apologies for the delay in responding. The application looks mostly in order, but there are a few gaps/questions. Looking at the application, it is not 100% clear whether you are applying , as

* service/software provider, to 
* as an open-source project

because you specify both https://xcp-ng.com & security@xxxxxxxxxx and https://xcp-ng.org & security@xxxxxxxxxx in the application
I am assuming you are applying as an open source project. Please confirm.

For the application, we are missing 

Information about your handling of security problems:
* Your invitation to members of the public, who discover security problems with your products/services, to report them in confidence to you;
* Specifically, the contact information (email addresses or other contact instructions) which such a member of the public should use.

You can find an example in https://lists.xenproject.org/archives/html/predisclosure-applications/2017-07/msg00000.html

Thank you and Regards

On 30 Oct 2018, at 13:27, contact@xxxxxxxxxx wrote:

Hello everyone,

I'm Olivier Lambert, project leader for XCP-ng project (https://xcp-ng.org). This project is aimed to deliver a turnkey Open Source virtualization platform. It's currently based on XenServer, and we started to contribute to Xen/XAPI and its ecosystem (and more will come). You can find all the public work done on it here: https://github.com/xcp-ng

Since our first release, we are at about 15k+ unique downloads, and we can assume safely it starts to be used by thousand people and organizations now.

This is why being included in this pre-disclosure list is important for the project: this way, we could be pro-active and deliver patches quickly (note that we deliver patching via a signed RPM repo, a simple `yum update` do the trick for our users).

We already have a dedicated security contact email: security@xxxxxxxxxx so this is the one we'd like to have enabled for this pre-disclosure list.

We (limited people having access to the security inbox) have read this pre-disclosure policy and agree to abide by the terms for inclusion in the list, including the requirements regarding confidentiality during an embargo period.
Note: we also offer pro support for XCP-ng, cf https://xcp-ng.com
We also have a security@xxxxxxxxxx but IDK if it's relevant to have both on the ML. Up to you, I don't mind having just the .org email there.
Let me know if you need anything else for me to be registered there.


Olivier Lambert
Predisclosure-applications mailing list

Predisclosure-applications mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.