[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Follow-up on ANSSI request to join Xen predisclosure list


Thanks for your application to join the Xen Project Security Issues
Predisclosure List.  We understand your desire to receive
predisclosures of Xen Security Advisories.

However, unfortunately, "organisations which monitor and alert others
to new vulnerabilities which might affect them" doesn’t seem to us to
fit into any of the categories explicitly listed in the Xen Project
Security Problem Response Process.  It is our role, as the Xen Project
Security Team, to implement the policy set out in that Process.  We do
not have discretion to waive the requirements.

However, it seems possible that some of your "beneficiaries", as you
put it, might qualify join the list in their own right.

In any case, it seems to us that the Xen Project policy would prevent
you from sharing information about vulnerabilities with your
beneficiaries, unless those beneficiaries were on the list too.

If you would like to see the policy changed, you may initiate such a
proposal via the public Xen Project mailing lists using our usual
governance processes; these processes are intended to facilitate
oversight and policymaking by the Xen community, including users and
developers of Xen (and of systems containing Xen).

With regret,
Ian Jackson.
on behalf of the Xen Project Security Team



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.