Xen project Mailing List

[Publicity] FOSDEM Security devroom submission

To: "publicity@xxxxxxxxxxxxxxxxxxxx" <publicity@xxxxxxxxxxxxxxxxxxxx>

From: George Dunlap <george.dunlap@xxxxxxxxxx>

Date: Thu, 3 Dec 2015 16:41:45 +0000

Delivery-date: Thu, 03 Dec 2015 16:41:51 +0000

List-id: "List for Xen Publicity, PR and events" <publicity.lists.xenproject.org>

I have posted the following talk proposal to the FOSDEM Security Devroom. Feedback welcome. Deadline is listed as "Tuesday 10 December", but 10 December is a Thursday; so probably best to get me feedback before Tuesday 8 December just in case. :-) Title Security response and open source: War stories from the XenProject security response process Abstract The open-source software plays a vital role in our worldwide computing infrastructure. When vulnerabilities are discovered in our software, our response can have a major impact on how much risk our end users are exposed to. The XenProject's security response process has been hardened and tested over years of experience, and has weathered several storms. This talk will share some war stories from our security response process that explain how we got to where it is today, so that you can learn the easy way, from our experience, rather than the hard way, from your own experience. Full description This talk will briefly cover the history of response processes -- from non-disclosure to full disclosure to coordinated or "responsible" disclosure, and pre-disclosure. We'll then cover two major events -- XSA-7, the Intel SYSRET vulnerability; and XSA-108 -- that highlighted some weaknesses in our process, and how we tweaked the process in response. Finally, we'll cover how we handled the a very controversial community discussion after XSA-7 in a way which, we hope, gave everyone in the community an opportunity to have their voice heard and counted, in spite of the complete lack of consensus. Bio George Dunlap worked with the Xen project while a graduate student at the University of Michigan before receiving his PhD in 2006. He has done work in many areas of Xen, including performance analysis, scheduling, and memory management. He was "release coordinator" for the Xen 4.3 and 4.4 relesases. He has is also taking the position of technical lead in the new CentOS Virt SIG. He writes technical articles for the xenproject.org blog, including one describing in detail the Intel SYSRET vulnerability, and has had articles published in Linux.com. George Dunlap is an experienced technical speaker. Venues include academic conferences (OSDI and VEE), project-focused conferences (Xen Summit), general open-source conferences (FOSDEM, LinuxCon NA and Europe), and customer training sessions for Citrix. _______________________________________________ Publicity mailing list Publicity@xxxxxxxxxxxxxxxxxxxx http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.