[Xen-devel] [SECURITY POLICY] No longer allow sharing of embargoed CVE numbers

[Ian Campbell <Ian.Campbell@xxxxxxxxxx>]

MITRE have asked us to stop our practice of allowing the CVE number
associated with embargoed security advisories. Their policy is such that
they tie the embargo of the details of the advisory to the number and
any sighting of the CVE# in the wild is taken as the end of the embargo
(the CVE# acts as a canary of sorts).

MITRE is the organisation which allocated CVEs and therefore we are
constrained by their policies. Given that the security team proposes to
modify the security policy[0] as follows:

        Under "List members are allowed to make available to their users
        only the following:" change the bullet:
            * The assigned XSA and CVE numbers
        to read:
            * The assigned XSA number
        
        Following that list add the text:
                
                NOTE: Prior v2.2 of this policy ($DATE) it was permitted
                to also make available the allocated CVE number. This is
                no longer permitted in accordance with MITRE policy.
        
        The change history should add v2.2 describing this change.

The security team intends to continue including CVE numbers (when
available) in embargoed advisories. The change here is that
predisclosure list members will no longer be allowed to share that
number while the embargo is in force.

While this change to our policy is still under discussion the security
team will temporarily refrain from publishing the CVEs for embargoed
issues.

If there are no objections I suggest we make this change in one week on
25 June. Lars can you make that so please?

Ian.

[0] http://www.xenproject.org/security-policy.html


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel