[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security vulnerability process

On Tue, 2011-07-26 at 11:25 -0400, Mike Bursell wrote:
> Ian/all -
> >In May I sent out a draft security vulnerability process.  Mostly it
> >seems to have met with approval or at least acquiescence.
> >We received some comments and based on that I have prepared a new
> >final draft.  The changes ought not to be controversial.
> >Please send any final comments by the 28th of July (14 days from
> >now).  Unless there are objections, we will regard the process as
> >formally in force from that date.
> Sorry for the rather last-minute response, but we've been considering 
> this process within Citrix, and although the process seems very clear
> and deals with most cases admirably, we'd like to propose a couple of 
> changes to deal with edge cases, and one other change on top.
> I've included the original mail below, for reference in case people
> don't have it.
> Proposed changes
> i. extend the standard embargo period from one week to two to allow more
> time for response/roll-out.

This seems reasonable enough.

> ii. allow the standard initial week to flex in the case that a fix is
> not immediately found.

I think the existing wording is already pretty clear that these
timespans are a starting point and that it is subject to change if there
is good reason.

> iii. allow the standard embargo period to be extended, by consensus of
> those on the predisclosure list, moderated by the Board, to a longer
> period.  This is to deal with cases where the vulnerability is
> particularly severe and/or the fixes are particularly onerous to roll
> out.  

Ultimately the final determination lies with the discover, who is under
no obligation to abide by any decision made by the board.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.