[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [SECURITY POLICY] No longer allow sharing of embargoed CVE numbers


Done.  Please review the live page to verify that the changes are complete and 
as intended.  I used your text to explain the 2.2 change.  If you want 
something else, let us know.

Russ Pavlicek
Xen Project Evangelist, Citrix Systems
Home Office: +1-301-829-5327
Mobile: +1-240-397-0199
UK VoIP: +44 1223 852 894
From: Ian Campbell
Sent: Monday, June 30, 2014 10:08 AM
To: xen-devel
Cc: Lars Kurth; security@xxxxxxx; Russell Pavlicek
Subject: Re: [SECURITY POLICY] No longer allow sharing of embargoed CVE numbers

There have been no objections. Lars/Russ please could you update the
security policy as described.


On Wed, 2014-06-18 at 11:14 +0100, Ian Campbell wrote:
> MITRE have asked us to stop our practice of allowing the CVE number
> associated with embargoed security advisories. Their policy is such that
> they tie the embargo of the details of the advisory to the number and
> any sighting of the CVE# in the wild is taken as the end of the embargo
> (the CVE# acts as a canary of sorts).
> MITRE is the organisation which allocated CVEs and therefore we are
> constrained by their policies. Given that the security team proposes to
> modify the security policy[0] as follows:
>         Under "List members are allowed to make available to their users
>         only the following:" change the bullet:
>             * The assigned XSA and CVE numbers
>         to read:
>             * The assigned XSA number
>         Following that list add the text:
>                 NOTE: Prior v2.2 of this policy ($DATE) it was permitted
>                 to also make available the allocated CVE number. This is
>                 no longer permitted in accordance with MITRE policy.
>         The change history should add v2.2 describing this change.
> The security team intends to continue including CVE numbers (when
> available) in embargoed advisories. The change here is that
> predisclosure list members will no longer be allowed to share that
> number while the embargo is in force.
> While this change to our policy is still under discussion the security
> team will temporarily refrain from publishing the CVEs for embargoed
> issues.
> If there are no objections I suggest we make this change in one week on
> 25 June. Lars can you make that so please?
> Ian.
> [0] http://www.xenproject.org/security-policy.html

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.