[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security vulnerability process

On Thu, 2011-08-25 at 12:20 +0100, Ian Jackson wrote:
> Mike Bursell writes ("[Xen-devel] Security vulnerability process"):
> > Proposed changes
> > i. extend the standard embargo period from one week to two to allow more
> > time for response/roll-out.
> Thanks for your comments.
> No-one seems to have objected to this.

Always nice.  :-)

> > ii. allow the standard initial week to flex in the case that a fix is
> > not immediately found.
> I agree with Ian Campbell's comment about this.  The wording:
>   As discussed, we will negotiate with discoverers about disclosure
>   schedule.  Our usual starting point for that negotiation, unless there
>   are reasons to diverge from this, would be:
> makes it clear that this schedule is definitely subject to variation
> depending on the circumstances.  Would you agree ?

That's fine, I think.

> > iii. allow the standard embargo period to be extended, by consensus of
> > those on the predisclosure list, moderated by the Board, to a longer
> > period.  This is to deal with cases where the vulnerability is
> > particularly severe and/or the fixes are particularly onerous to roll
> > out.  
> I don't think this idea is really going to work.
> Firstly, the predisclosure list is an announcement list, not a
> discussion list.  While the list of organisations will be published,
> in general the email addresses on it are busy security contact desks
> who do not want to be involved in extended discussions.
> Secondly, I think it will in practice prove difficult to get consensus
> on an extension - given that the predisclosure list contains some
> organisations who have expectations of a very short timescale and who
> want to fix the problem for their users ASAP.  So such a provision
> wouldn't have much effect other than people sending extra emails.  And
> of course as Ian Campbell says we are still bound by the views of the
> discoverer.
> Finally, even if these practical objections could be dealt with, it
> seems to me to be to be questionable to put the predisclosure list
> members in charge of the decision about when the rest of the users
> find out.  There is a clear conflict of interest there.
> So for those reasons I'm afraid I think it wouldn't be appropriate to
> make that change.

After some thought, I think we're pushing away too far from the
discoverer here.  What I suggest, therefore, is to say

i) explicitly that if the discoverer wishes to extend the predisclosure
period, this will honoured
ii) that if a predisclosure list member wishes to contact the discoverer
to request an extension, that the Xen.org security team will act as a
channel for such requests.

How does this sound?

Mike Bursell, Network Subsystem Architect
Citrix Systems R&D.  +44 7971 926937
Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.