Xen project Mailing List

Re: [Predisclosure-applications] XCP-ng predisclosure list application

To: Lars Kurth <lars.kurth.xen@xxxxxxxxx>

From: Olivier Lambert <olivier.lambert@xxxxxxxx>

Date: Fri, 16 Nov 2018 21:19:46 +0000

Cc: predisclosure-applications@xxxxxxxxxxxxxxxxxxxx, contact <contact@xxxxxxxxxx>

Delivery-date: Fri, 16 Nov 2018 21:19:53 +0000

List-id: Applications for membership of Xen Security Advisories Pre-disclosure List <predisclosure-applications.lists.xenproject.org>

Hi Lars, 1. As an Open Source project would make more sense I suppose, yes. 2. "Your invitation to members of the public, who discover security problems with your products/services, to report them in confidence to you;" already done here: check the "Security and mirrors" tab in the xcp-ng.org website, "Found a security problem in XCP-ng? Please email us on security at xcp-ng dot org". If you want a better (but still concise) wording, let me know :) Best, -- Olivier Lambert Co-founder - CEO XCP-ng & Xen Orchestra - Vates solutions https://xcp-ng.com https://xen-orchestra.com ----- Mail original ----- De: "Lars Kurth" <lars.kurth.xen@xxxxxxxxx> À: "contact" <contact@xxxxxxxxxx> Cc: predisclosure-applications@xxxxxxxxxxxxxxxxxxxx Envoyé: Vendredi 16 Novembre 2018 17:13:40 Objet: Re: [Predisclosure-applications] XCP-ng predisclosure list application Hi Olivier, thanks for the submission and apologies for the delay in responding. The application looks mostly in order, but there are a few gaps/questions. Looking at the application, it is not 100% clear whether you are applying , as * service/software provider, to * as an open-source project because you specify both https://xcp-ng.com <https://xcp-ng.com/> & security@xxxxxxxxxx <mailto:security@xxxxxxxxxx> and https://xcp-ng.org <https://xcp-ng.org/> & security@xxxxxxxxxx <mailto:security@xxxxxxxxxx> in the application I am assuming you are applying as an open source project. Please confirm. For the application, we are missing Information about your handling of security problems: * Your invitation to members of the public, who discover security problems with your products/services, to report them in confidence to you; * Specifically, the contact information (email addresses or other contact instructions) which such a member of the public should use. You can find an example in https://lists.xenproject.org/archives/html/predisclosure-applications/2017-07/msg00000.html <https://lists.xenproject.org/archives/html/predisclosure-applications/2017-07/msg00000.html> Thank you and Regards Lars > On 30 Oct 2018, at 13:27, contact@xxxxxxxxxx wrote: > > Hello everyone, > > I'm Olivier Lambert, project leader for XCP-ng project (https://xcp-ng.org). > This project is aimed to deliver a turnkey Open Source virtualization > platform. It's currently based on XenServer, and we started to contribute to > Xen/XAPI and its ecosystem (and more will come). You can find all the public > work done on it here: https://github.com/xcp-ng > > Since our first release, we are at about 15k+ unique downloads, and we can > assume safely it starts to be used by thousand people and organizations now. > > This is why being included in this pre-disclosure list is important for the > project: this way, we could be pro-active and deliver patches quickly (note > that we deliver patching via a signed RPM repo, a simple `yum update` do the > trick for our users). > > We already have a dedicated security contact email: security@xxxxxxxxxx so > this is the one we'd like to have enabled for this pre-disclosure list. > > We (limited people having access to the security inbox) have read this > pre-disclosure policy and agree to abide by the terms for inclusion in the > list, including the requirements regarding confidentiality during an embargo > period. > Note: we also offer pro support for XCP-ng, cf https://xcp-ng.com > We also have a security@xxxxxxxxxx but IDK if it's relevant to have both on > the ML. Up to you, I don't mind having just the .org email there. > > Let me know if you need anything else for me to be registered there. > > Best, > > Olivier Lambert > _______________________________________________ > Predisclosure-applications mailing list > Predisclosure-applications@xxxxxxxxxxxxxxxxxxxx > https://lists.xenproject.org/mailman/listinfo/predisclosure-applications _______________________________________________ Predisclosure-applications mailing list Predisclosure-applications@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/predisclosure-applications

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.