[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security vulnerability process

Mike Bursell writes ("[Xen-devel] Security vulnerability process"):
> Proposed changes
> i. extend the standard embargo period from one week to two to allow more
> time for response/roll-out.

Thanks for your comments.

No-one seems to have objected to this.

> ii. allow the standard initial week to flex in the case that a fix is
> not immediately found.

I agree with Ian Campbell's comment about this.  The wording:

  As discussed, we will negotiate with discoverers about disclosure
  schedule.  Our usual starting point for that negotiation, unless there
  are reasons to diverge from this, would be:

makes it clear that this schedule is definitely subject to variation
depending on the circumstances.  Would you agree ?

> iii. allow the standard embargo period to be extended, by consensus of
> those on the predisclosure list, moderated by the Board, to a longer
> period.  This is to deal with cases where the vulnerability is
> particularly severe and/or the fixes are particularly onerous to roll
> out.  

I don't think this idea is really going to work.

Firstly, the predisclosure list is an announcement list, not a
discussion list.  While the list of organisations will be published,
in general the email addresses on it are busy security contact desks
who do not want to be involved in extended discussions.

Secondly, I think it will in practice prove difficult to get consensus
on an extension - given that the predisclosure list contains some
organisations who have expectations of a very short timescale and who
want to fix the problem for their users ASAP.  So such a provision
wouldn't have much effect other than people sending extra emails.  And
of course as Ian Campbell says we are still bound by the views of the

Finally, even if these practical objections could be dealt with, it
seems to me to be to be questionable to put the predisclosure list
members in charge of the decision about when the rest of the users
find out.  There is a clear conflict of interest there.

So for those reasons I'm afraid I think it wouldn't be appropriate to
make that change.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.