Xen project Mailing List

Re: [Xen-devel] [SECURITY POLICY] No longer allow sharing of embargoed CVE numbers

To: Ian Campbell <Ian.Campbell@xxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxx>

From: Russell Pavlicek <russell.pavlicek@xxxxxxxxxx>

Date: Mon, 30 Jun 2014 14:33:51 +0000

Accept-language: en-US

Cc: Lars Kurth <lars.kurth@xxxxxxx>, "security@xxxxxxx" <security@xxxxxxx>

Delivery-date: Mon, 30 Jun 2014 14:37:28 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

Thread-index: AQHPlGzgLmCqZ8XVmEm7Uhwe7XPlx5uJtvRM

Thread-topic: [SECURITY POLICY] No longer allow sharing of embargoed CVE numbers

Ian, Done. Please review the live page to verify that the changes are complete and as intended. I used your text to explain the 2.2 change. If you want something else, let us know. Russ Pavlicek Xen Project Evangelist, Citrix Systems Home Office: +1-301-829-5327 Mobile: +1-240-397-0199 UK VoIP: +44 1223 852 894 ________________________________________ From: Ian Campbell Sent: Monday, June 30, 2014 10:08 AM To: xen-devel Cc: Lars Kurth; security@xxxxxxx; Russell Pavlicek Subject: Re: [SECURITY POLICY] No longer allow sharing of embargoed CVE numbers There have been no objections. Lars/Russ please could you update the security policy as described. Cheers, Ian. On Wed, 2014-06-18 at 11:14 +0100, Ian Campbell wrote: > MITRE have asked us to stop our practice of allowing the CVE number > associated with embargoed security advisories. Their policy is such that > they tie the embargo of the details of the advisory to the number and > any sighting of the CVE# in the wild is taken as the end of the embargo > (the CVE# acts as a canary of sorts). > > MITRE is the organisation which allocated CVEs and therefore we are > constrained by their policies. Given that the security team proposes to > modify the security policy[0] as follows: > > Under "List members are allowed to make available to their users > only the following:" change the bullet: > * The assigned XSA and CVE numbers > to read: > * The assigned XSA number > > Following that list add the text: > > NOTE: Prior v2.2 of this policy ($DATE) it was permitted > to also make available the allocated CVE number. This is > no longer permitted in accordance with MITRE policy. > > The change history should add v2.2 describing this change. > > The security team intends to continue including CVE numbers (when > available) in embargoed advisories. The change here is that > predisclosure list members will no longer be allowed to share that > number while the embargo is in force. > > While this change to our policy is still under discussion the security > team will temporarily refrain from publishing the CVEs for embargoed > issues. > > If there are no objections I suggest we make this change in one week on > 25 June. Lars can you make that so please? > > Ian. > > [0] http://www.xenproject.org/security-policy.html > _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.