[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Security vulnerability process
On Tue, 2011-07-26 at 11:25 -0400, Mike Bursell wrote: > Ian/all - > > >In May I sent out a draft security vulnerability process. Mostly it > >seems to have met with approval or at least acquiescence. > > >We received some comments and based on that I have prepared a new > >final draft. The changes ought not to be controversial. > > >Please send any final comments by the 28th of July (14 days from > >now). Unless there are objections, we will regard the process as > >formally in force from that date. > > Sorry for the rather last-minute response, but we've been considering > this process within Citrix, and although the process seems very clear > and deals with most cases admirably, we'd like to propose a couple of > changes to deal with edge cases, and one other change on top. > > I've included the original mail below, for reference in case people > don't have it. > > Proposed changes > i. extend the standard embargo period from one week to two to allow more > time for response/roll-out. This seems reasonable enough. > ii. allow the standard initial week to flex in the case that a fix is > not immediately found. I think the existing wording is already pretty clear that these timespans are a starting point and that it is subject to change if there is good reason. > iii. allow the standard embargo period to be extended, by consensus of > those on the predisclosure list, moderated by the Board, to a longer > period. This is to deal with cases where the vulnerability is > particularly severe and/or the fixes are particularly onerous to roll > out. Ultimately the final determination lies with the discover, who is under no obligation to abide by any decision made by the board. Ian. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |