[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [SECURITY POLICY] No longer allow sharing of embargoed CVE numbers

Ian,

Changed.  Please verify.

Thanks,

Russ Pavlicek
Xen Project Evangelist, Citrix Systems
Home Office: +1-301-829-5327
Mobile: +1-240-397-0199
UK VoIP: +44 1223 852 894
________________________________________
From: Ian Campbell
Sent: Monday, June 30, 2014 10:41 AM
To: Russell Pavlicek
Cc: xen-devel; Lars Kurth; security@xxxxxxx
Subject: Re: [SECURITY POLICY] No longer allow sharing of embargoed CVE numbers

thanks.

I think the "The security team intends to con..." bit which you included
as changelog reads strangely in that context.  I think a suitable
changelog would be:

        v2.2 Jun 2014: In accordance with MITREs guidelines it is no
        longer permissible to share CVE numbers of embargoed issues.

Ian.

On Mon, 2014-06-30 at 15:33 +0100, Russell Pavlicek wrote:
> Ian,
>
> Done.  Please review the live page to verify that the changes are complete 
> and as intended.  I used your text to explain the 2.2 change.  If you want 
> something else, let us know.
>
> Russ Pavlicek
> Xen Project Evangelist, Citrix Systems
> Home Office: +1-301-829-5327
> Mobile: +1-240-397-0199
> UK VoIP: +44 1223 852 894
> ________________________________________
> From: Ian Campbell
> Sent: Monday, June 30, 2014 10:08 AM
> To: xen-devel
> Cc: Lars Kurth; security@xxxxxxx; Russell Pavlicek
> Subject: Re: [SECURITY POLICY] No longer allow sharing of embargoed CVE 
> numbers
>
> There have been no objections. Lars/Russ please could you update the
> security policy as described.
>
> Cheers,
> Ian.
>
> On Wed, 2014-06-18 at 11:14 +0100, Ian Campbell wrote:
> > MITRE have asked us to stop our practice of allowing the CVE number
> > associated with embargoed security advisories. Their policy is such that
> > they tie the embargo of the details of the advisory to the number and
> > any sighting of the CVE# in the wild is taken as the end of the embargo
> > (the CVE# acts as a canary of sorts).
> >
> > MITRE is the organisation which allocated CVEs and therefore we are
> > constrained by their policies. Given that the security team proposes to
> > modify the security policy[0] as follows:
> >
> >         Under "List members are allowed to make available to their users
> >         only the following:" change the bullet:
> >             * The assigned XSA and CVE numbers
> >         to read:
> >             * The assigned XSA number
> >
> >         Following that list add the text:
> >
> >                 NOTE: Prior v2.2 of this policy ($DATE) it was permitted
> >                 to also make available the allocated CVE number. This is
> >                 no longer permitted in accordance with MITRE policy.
> >
> >         The change history should add v2.2 describing this change.
> >
> > The security team intends to continue including CVE numbers (when
> > available) in embargoed advisories. The change here is that
> > predisclosure list members will no longer be allowed to share that
> > number while the embargo is in force.
> >
> > While this change to our policy is still under discussion the security
> > team will temporarily refrain from publishing the CVEs for embargoed
> > issues.
> >
> > If there are no objections I suggest we make this change in one week on
> > 25 June. Lars can you make that so please?
> >
> > Ian.
> >
> > [0] http://www.xenproject.org/security-policy.html
> >
>
>
>



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.