|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [SECURITY POLICY] No longer allow sharing of embargoed CVE numbers
Looks good. thanks. On Mon, 2014-06-30 at 15:45 +0100, Russell Pavlicek wrote: > Ian, > > Changed. Please verify. > > Thanks, > > Russ Pavlicek > Xen Project Evangelist, Citrix Systems > Home Office: +1-301-829-5327 > Mobile: +1-240-397-0199 > UK VoIP: +44 1223 852 894 > ________________________________________ > From: Ian Campbell > Sent: Monday, June 30, 2014 10:41 AM > To: Russell Pavlicek > Cc: xen-devel; Lars Kurth; security@xxxxxxx > Subject: Re: [SECURITY POLICY] No longer allow sharing of embargoed CVE > numbers > > thanks. > > I think the "The security team intends to con..." bit which you included > as changelog reads strangely in that context. I think a suitable > changelog would be: > > v2.2 Jun 2014: In accordance with MITREs guidelines it is no > longer permissible to share CVE numbers of embargoed issues. > > Ian. > > On Mon, 2014-06-30 at 15:33 +0100, Russell Pavlicek wrote: > > Ian, > > > > Done. Please review the live page to verify that the changes are complete > > and as intended. I used your text to explain the 2.2 change. If you want > > something else, let us know. > > > > Russ Pavlicek > > Xen Project Evangelist, Citrix Systems > > Home Office: +1-301-829-5327 > > Mobile: +1-240-397-0199 > > UK VoIP: +44 1223 852 894 > > ________________________________________ > > From: Ian Campbell > > Sent: Monday, June 30, 2014 10:08 AM > > To: xen-devel > > Cc: Lars Kurth; security@xxxxxxx; Russell Pavlicek > > Subject: Re: [SECURITY POLICY] No longer allow sharing of embargoed CVE > > numbers > > > > There have been no objections. Lars/Russ please could you update the > > security policy as described. > > > > Cheers, > > Ian. > > > > On Wed, 2014-06-18 at 11:14 +0100, Ian Campbell wrote: > > > MITRE have asked us to stop our practice of allowing the CVE number > > > associated with embargoed security advisories. Their policy is such that > > > they tie the embargo of the details of the advisory to the number and > > > any sighting of the CVE# in the wild is taken as the end of the embargo > > > (the CVE# acts as a canary of sorts). > > > > > > MITRE is the organisation which allocated CVEs and therefore we are > > > constrained by their policies. Given that the security team proposes to > > > modify the security policy[0] as follows: > > > > > > Under "List members are allowed to make available to their users > > > only the following:" change the bullet: > > > * The assigned XSA and CVE numbers > > > to read: > > > * The assigned XSA number > > > > > > Following that list add the text: > > > > > > NOTE: Prior v2.2 of this policy ($DATE) it was permitted > > > to also make available the allocated CVE number. This is > > > no longer permitted in accordance with MITRE policy. > > > > > > The change history should add v2.2 describing this change. > > > > > > The security team intends to continue including CVE numbers (when > > > available) in embargoed advisories. The change here is that > > > predisclosure list members will no longer be allowed to share that > > > number while the embargo is in force. > > > > > > While this change to our policy is still under discussion the security > > > team will temporarily refrain from publishing the CVEs for embargoed > > > issues. > > > > > > If there are no objections I suggest we make this change in one week on > > > 25 June. Lars can you make that so please? > > > > > > Ian. > > > > > > [0] http://www.xenproject.org/security-policy.html > > > > > > > > > > > > _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |