Xen project Mailing List

Re: [Predisclosure-applications] XCP-ng predisclosure list application

From: Lars Kurth <lars.kurth.xen@xxxxxxxxx>

Date: Fri, 16 Nov 2018 16:13:40 +0000

Cc: predisclosure-applications@xxxxxxxxxxxxxxxxxxxx

Delivery-date: Fri, 16 Nov 2018 16:13:47 +0000

List-id: Applications for membership of Xen Security Advisories Pre-disclosure List <predisclosure-applications.lists.xenproject.org>

Hi Olivier,

thanks for the submission and apologies for the delay in responding. The application looks mostly in order, but there are a few gaps/questions. Looking at the application, it is not 100% clear whether you are applying , as

* service/software provider, to
* as an open-source project

because you specify both https://xcp-ng.com & security@xxxxxxxxxx and https://xcp-ng.org & security@xxxxxxxxxx in the application
I am assuming you are applying as an open source project. Please confirm.

For the application, we are missing

Information about your handling of security problems:
* Your invitation to members of the public, who discover security problems with your products/services, to report them in confidence to you;
* Specifically, the contact information (email addresses or other contact instructions) which such a member of the public should use.

You can find an example in https://lists.xenproject.org/archives/html/predisclosure-applications/2017-07/msg00000.html

Thank you and Regards
Lars

On 30 Oct 2018, at 13:27, contact@xxxxxxxxxx wrote:
Hello everyone,

I'm Olivier Lambert, project leader for XCP-ng project (https://xcp-ng.org). This project is aimed to deliver a turnkey Open Source virtualization platform. It's currently based on XenServer, and we started to contribute to Xen/XAPI and its ecosystem (and more will come). You can find all the public work done on it here: https://github.com/xcp-ng

Since our first release, we are at about 15k+ unique downloads, and we can assume safely it starts to be used by thousand people and organizations now.

This is why being included in this pre-disclosure list is important for the project: this way, we could be pro-active and deliver patches quickly (note that we deliver patching via a signed RPM repo, a simple `yum update` do the trick for our users).

We already have a dedicated security contact email: security@xxxxxxxxxx so this is the one we'd like to have enabled for this pre-disclosure list.
We (limited people having access to the security inbox) have read this pre-disclosure policy and agree to abide by the terms for inclusion in the list, including the requirements regarding confidentiality during an embargo period.
Note: we also offer pro support for XCP-ng, cf https://xcp-ng.com
We also have a security@xxxxxxxxxx but IDK if it's relevant to have both on the ML. Up to you, I don't mind having just the .org email there.

Let me know if you need anything else for me to be registered there.

Best,

Olivier Lambert
_______________________________________________
Predisclosure-applications mailing list
Predisclosure-applications@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/predisclosure-applications

_______________________________________________ Predisclosure-applications mailing list Predisclosure-applications@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/predisclosure-applications