[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security vulnerability process

Mike Bursell writes ("Re: [Xen-devel] Security vulnerability process"):
> After some thought, I think we're pushing away too far from the
> discoverer here.  What I suggest, therefore, is to say
> i) explicitly that if the discoverer wishes to extend the predisclosure
> period, this will honoured

The most recent draft policy already contains these paragraphs:

  When a discoverer reports a problem to us and requests longer delays
  than we would consider ideal, we will honour such a request if
  reasonable.  If a discoverer wants an accelerated disclosure compared
  to what we would prefer, we naturally do not have the power to insist
  that a discoverer waits for us to be ready and will honour the date
  specified by the discoverer.

  Naturally, if a vulnerability is being exploited in the wild we will
  make immediately public release of the advisory and patch(es) and
  expect others to do likewise.

That seems sufficiently clear to me that we will honour an extended
predisclosure preiod.

> ii) that if a predisclosure list member wishes to contact the discoverer
> to request an extension, that the Xen.org security team will act as a
> channel for such requests.

In general, I think it should be clear that the Xen.org security team
will act as a channel for any communications between all relevant
parties.  This isn't explicitly stated in the most recent draft.
How about:

  The Xen.org security team should be the primary contact point for
  communications.  It will pass on information, requests, and other
  messages between predisclosure team members, discoverers, and
  others, as applicable.



Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.