Xen project Mailing List

Re: [Xen-devel] Security vulnerability process

To: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>

From: Mike Bursell <mike.bursell@xxxxxxxxxx>

Date: Fri, 26 Aug 2011 15:33:45 +0100

Accept-language: en-US

Acceptlanguage: en-US

Cc: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>

Delivery-date: Fri, 26 Aug 2011 07:34:24 -0700

List-id: Xen developer discussion <xen-devel.lists.xensource.com>

Thread-index: Acxj/Sj030C47lexSPyIvuxDZaIqHg==

Thread-topic: [Xen-devel] Security vulnerability process

On Thu, 2011-08-25 at 12:20 +0100, Ian Jackson wrote: > Mike Bursell writes ("[Xen-devel] Security vulnerability process"): > > Proposed changes > > i. extend the standard embargo period from one week to two to allow more > > time for response/roll-out. > > Thanks for your comments. > > No-one seems to have objected to this. Always nice. :-) > > ii. allow the standard initial week to flex in the case that a fix is > > not immediately found. > > I agree with Ian Campbell's comment about this. The wording: > > As discussed, we will negotiate with discoverers about disclosure > schedule. Our usual starting point for that negotiation, unless there > are reasons to diverge from this, would be: > > makes it clear that this schedule is definitely subject to variation > depending on the circumstances. Would you agree ? That's fine, I think. > > iii. allow the standard embargo period to be extended, by consensus of > > those on the predisclosure list, moderated by the Board, to a longer > > period. This is to deal with cases where the vulnerability is > > particularly severe and/or the fixes are particularly onerous to roll > > out. > > I don't think this idea is really going to work. > > Firstly, the predisclosure list is an announcement list, not a > discussion list. While the list of organisations will be published, > in general the email addresses on it are busy security contact desks > who do not want to be involved in extended discussions. > > Secondly, I think it will in practice prove difficult to get consensus > on an extension - given that the predisclosure list contains some > organisations who have expectations of a very short timescale and who > want to fix the problem for their users ASAP. So such a provision > wouldn't have much effect other than people sending extra emails. And > of course as Ian Campbell says we are still bound by the views of the > discoverer. > > Finally, even if these practical objections could be dealt with, it > seems to me to be to be questionable to put the predisclosure list > members in charge of the decision about when the rest of the users > find out. There is a clear conflict of interest there. > > So for those reasons I'm afraid I think it wouldn't be appropriate to > make that change. After some thought, I think we're pushing away too far from the discoverer here. What I suggest, therefore, is to say i) explicitly that if the discoverer wishes to extend the predisclosure period, this will honoured ii) that if a predisclosure list member wishes to contact the discoverer to request an extension, that the Xen.org security team will act as a channel for such requests. How does this sound? -Mike.c -- Mike Bursell, Network Subsystem Architect Citrix Systems R&D. +44 7971 926937

_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.