Xen project Mailing List

Re: Follow-up on ANSSI request to join Xen predisclosure list

To: Masson Julien <Julien.Masson@xxxxxxxxxxx>

From: Ian Jackson <iwj@xxxxxxxxxxxxxx>

Date: Fri, 9 Jul 2021 17:49:45 +0100

Cc: predisclosure-applications@xxxxxxxxxxxxxxxxxxxx, ANSSI-Vulns <vulnerabilite@xxxxxxxxxxx>, Outrey Martial <Martial.Outrey@xxxxxxxxxxx>

Delivery-date: Fri, 09 Jul 2021 16:50:33 +0000

List-id: Applications for membership of Xen Security Advisories Pre-disclosure List <predisclosure-applications.lists.xenproject.org>

Hello. Thanks for your application to join the Xen Project Security Issues Predisclosure List. We understand your desire to receive predisclosures of Xen Security Advisories. However, unfortunately, "organisations which monitor and alert others to new vulnerabilities which might affect them" doesn’t seem to us to fit into any of the categories explicitly listed in the Xen Project Security Problem Response Process. It is our role, as the Xen Project Security Team, to implement the policy set out in that Process. We do not have discretion to waive the requirements. However, it seems possible that some of your "beneficiaries", as you put it, might qualify join the list in their own right. In any case, it seems to us that the Xen Project policy would prevent you from sharing information about vulnerabilities with your beneficiaries, unless those beneficiaries were on the list too. If you would like to see the policy changed, you may initiate such a proposal via the public Xen Project mailing lists using our usual governance processes; these processes are intended to facilitate oversight and policymaking by the Xen community, including users and developers of Xen (and of systems containing Xen). With regret, Ian Jackson. on behalf of the Xen Project Security Team

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.