|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217
> It also supposes that there would be some way to police this separation > -- how could you tell if a software vendor had given unfair advantage to > their friends, and how could you tell which one it was in order to > "punish" them? You've equally got to deal with the vendors whose employees decide to tell their friends. Common sense will always apply. > The same problem exists if you allow service providers but insist that a > condition of membership is that they use the pre-disclosure period to > "prepare but not deploy" (i.e. to keep their hats separate). Other than > a suspicious wave of reboots across that providers infrastructure > (attributed to "routine maintenance") how would you know? The bad guys monitor this. The other way you'll know is when blackhats observe a given provider is immune to an exploit infeasibly fast. At which point that will slowly become general knowledge. Alan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |