[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [SECURITY POLICY] No longer allow sharing of embargoed CVE numbers
thanks. I think the "The security team intends to con..." bit which you included as changelog reads strangely in that context. I think a suitable changelog would be: v2.2 Jun 2014: In accordance with MITREs guidelines it is no longer permissible to share CVE numbers of embargoed issues. Ian. On Mon, 2014-06-30 at 15:33 +0100, Russell Pavlicek wrote: > Ian, > > Done. Please review the live page to verify that the changes are complete > and as intended. I used your text to explain the 2.2 change. If you want > something else, let us know. > > Russ Pavlicek > Xen Project Evangelist, Citrix Systems > Home Office: +1-301-829-5327 > Mobile: +1-240-397-0199 > UK VoIP: +44 1223 852 894 > ________________________________________ > From: Ian Campbell > Sent: Monday, June 30, 2014 10:08 AM > To: xen-devel > Cc: Lars Kurth; security@xxxxxxx; Russell Pavlicek > Subject: Re: [SECURITY POLICY] No longer allow sharing of embargoed CVE > numbers > > There have been no objections. Lars/Russ please could you update the > security policy as described. > > Cheers, > Ian. > > On Wed, 2014-06-18 at 11:14 +0100, Ian Campbell wrote: > > MITRE have asked us to stop our practice of allowing the CVE number > > associated with embargoed security advisories. Their policy is such that > > they tie the embargo of the details of the advisory to the number and > > any sighting of the CVE# in the wild is taken as the end of the embargo > > (the CVE# acts as a canary of sorts). > > > > MITRE is the organisation which allocated CVEs and therefore we are > > constrained by their policies. Given that the security team proposes to > > modify the security policy[0] as follows: > > > > Under "List members are allowed to make available to their users > > only the following:" change the bullet: > > * The assigned XSA and CVE numbers > > to read: > > * The assigned XSA number > > > > Following that list add the text: > > > > NOTE: Prior v2.2 of this policy ($DATE) it was permitted > > to also make available the allocated CVE number. This is > > no longer permitted in accordance with MITRE policy. > > > > The change history should add v2.2 describing this change. > > > > The security team intends to continue including CVE numbers (when > > available) in embargoed advisories. The change here is that > > predisclosure list members will no longer be allowed to share that > > number while the embargo is in force. > > > > While this change to our policy is still under discussion the security > > team will temporarily refrain from publishing the CVEs for embargoed > > issues. > > > > If there are no objections I suggest we make this change in one week on > > 25 June. Lars can you make that so please? > > > > Ian. > > > > [0] http://www.xenproject.org/security-policy.html > > > > > _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |