[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [SECURITY POLICY] No longer allow sharing of embargoed CVE numbers

There have been no objections. Lars/Russ please could you update the
security policy as described.


On Wed, 2014-06-18 at 11:14 +0100, Ian Campbell wrote:
> MITRE have asked us to stop our practice of allowing the CVE number
> associated with embargoed security advisories. Their policy is such that
> they tie the embargo of the details of the advisory to the number and
> any sighting of the CVE# in the wild is taken as the end of the embargo
> (the CVE# acts as a canary of sorts).
> MITRE is the organisation which allocated CVEs and therefore we are
> constrained by their policies. Given that the security team proposes to
> modify the security policy[0] as follows:
>         Under "List members are allowed to make available to their users
>         only the following:" change the bullet:
>             * The assigned XSA and CVE numbers
>         to read:
>             * The assigned XSA number
>         Following that list add the text:
>                 NOTE: Prior v2.2 of this policy ($DATE) it was permitted
>                 to also make available the allocated CVE number. This is
>                 no longer permitted in accordance with MITRE policy.
>         The change history should add v2.2 describing this change.
> The security team intends to continue including CVE numbers (when
> available) in embargoed advisories. The change here is that
> predisclosure list members will no longer be allowed to share that
> number while the embargo is in force.
> While this change to our policy is still under discussion the security
> team will temporarily refrain from publishing the CVEs for embargoed
> issues.
> If there are no objections I suggest we make this change in one week on
> 25 June. Lars can you make that so please?
> Ian.
> [0] http://www.xenproject.org/security-policy.html

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.