[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security policy ambiguities - XSA-108 process post-mortem

Xen Project Security Team writes ("Security policy ambiguities - XSA-108 
process post-mortem"):
> We welcome any feedback on our decisions and we look forward to
> clearer directions from the community.

Here is my own, purely personal, response with answers to the
questions asked.  NB that this is not the opinion of Citrix nor of
the Xen Project Security Team.  But I thought I would at least write
down something concrete for people to argue about.

> Sharing amongst predisclosure list members

I think that the answer should be `yes', in principle.  There seems
little point forbidding this.

Allowing greater sharing would perhaps allow problems with patches to
be discovered (and the revised patches developed) more easily.  We
should provide a clear channel for collaboration between predisclosure
list members.

Therefore, the policy should be extended by adding, before
`Organisations who meet the criteria', the new section:

  List members are allowed to share fixes to embargoed issues,
  analysis, etc., with the security teams of other list members.
  Technical measures must be taken to prevents non-list-member
  organisations, or unauthorised staff in list-member organisations,
  from obtaining the embargoed materials.

  The Xen Project provides the mailing list
  for this purpose.  List members are encouraged to use it but
  may share with other list members' security teams via other

  The -discuss list's distribution is identical to that of the primary
  predisclosure list xen-security-issues.  Recipient organisations who
  do not wish to receive all of the traffic on -discuss should use
  recipient-side email filtering based on the provided `List-Id'.

  The -discuss list is moderated by the Xen Project Security Team.
  Announcements of private availability of fixed versions, and
  technical messages about embargoed advisories, will be approved.
  Messages dealing with policy matters will be rejected with a
  reference to the Security Team contact address and/or public Xen
  mailing lists.

(That list obviously doesn't exist yet, but if the policy is approved
we will create it.)

One reason for permitting this is that we want fairness between
service providers who use their own versions of Xen, and ones who use
a version from a software provider.  Both kinds of service provider
should be able to test the fix during the embargo.

> Deployment on public systems of fixed versions during embargo

These different understandings have led to some bad feelings - some
people feel that others have breached the embargo, while they felt
prevented from acting similarly.  This is very regrettable and I
apologise for my contribution to the unclarity in the policy.

I want to say clearly that I think everyone has acted in good faith.

My view is that the policy should be clarified to permit deployment
during embargo.  I see no practical reason for preventing it.  I would
add, following that list of bullet points:

  List members who are service providers may deploy fixed versions
  during the embargo, PROVIDED THAT any action taken by the service
  provider gives no indication (to their users or anyone else) as to
  the nature of the vulnerability.

This question is IMO partly linked to the previous one.

The Security Team should not be invited to give permission
specifically for the release of patched software.  I think the rider
was mistakenly merged into the final the bullet point in the list.  It
should be separated out.  Also, the predisclosure list members should
not be invited to consult the discoverer.

The note about CVE numbers should be moved into the list of
forbidden-disclosures, as a new bullet point.  So overall I would
delete that whole paragraph about CVEs (we don't need the historical
information) and adjust the end of the forbidden disclosures to read:

    * patched software (even in binary form)
    * CVE number(s)

  without prior consultation with security@xenproject.

> Service announcements to non-list-member users during embargo

We should add just below the list of bullet points of things which may
be disclosed:

  Where the list member is a service provider who intends to take
  disruptive action such as rebooting as part of deploying a fix (see
  above): the list member's communications to its users about the
  service disruption may mention that the disruption is to correct a
  security issue, and relate it to the public information about the
  issue (as listed above).

> Predisclosure list memembership

The policy should be amended to require applicants to provide the
information required, in the form of public URLs.  The team should not
be required to judge email aliases or enquire about their recipients
except to ensure that they don't look like personal aliases.

Applicants should be required to:

  - Provide information on their public web pages which makes
    it clear that and why they are eligible;

  - Specifically, publicly state that and how they are using Xen
    (so that the Security Team can verify eligibility);

  - Provide a way for members of the public to responsibly report
    security problems to the applicant, just as the Xen Project does.

The Security Team should be forbidden from trying to hunt down
eligibility information etc. and should instead be mandated to reject
incomplete requests.

Specifically, I propose that the section on list membership
applications be entirely replaced with this:

  Organisations who meet the criteria should contact
  security@xenproject if they wish to receive pre-disclosure of
  advisories.  You must include in the e-mail:

    * The name of your organization.

    * Domain name(s) which you use to provide Xen software/services.

    * A brief description of why you fit the criteria.

    * If not all of your products/services use Xen, a list of (some
      of) your products/services (or categories thereof) which do.

    * Link(s) to current public web pages, belonging to your
      organisation, for each of following pieces of information:

      o Evidence of your status as a service/software provider:
        + If you are a public hosting provider, your public rates
          or how to get a quote
        + If you are a software provider, how your
          software can be downloaded or purchased
        + If you are an open-source project, a mailing list
          archive and/or version control repository, with
          active development

      o Evidence of your status as a user of Xen:
        + Statements about, or descriptions of, your eligible
          production services or released software, from which it is
          immediately evident that they use Xen.

      o Information about your handling of security problems:
        + Your invitation to members of the public, who discover
          security problems with your products/services, to report
          them in confidence to you;
        + Specifically, the contact information (email addresses or
          other contact instructions) which such a member of the
          public should use.

      Blog postings, conference presentations, social media pages,
      Flash presentations, videos, sites which require registration,
      anything password-protected, etc., are not acceptable.  PDFs of
      reasonable size are acceptable so long as the URL you provide is
      of a ordinary HTML page providing a link to the PDF.

      If the pages are long and/or PDFs are involved, your email
      should say which part of the pages and documents are relevant.

    * A statement to the effect that you have read this policy and
      agree to abide by the terms for inclusion in the list,
      specifically the requirements regarding confidentiality during
      an embargo period.

    * The single (non-personal) email alias you wish added to the
      predisclosure list.

  The Security Team has no discretion to accept applications which do
  not provide all of the information required above.

  Please provide URLs which are accessible and legible on mobile phone
  browsers, which do not require cookies enabled to load, and which
  are useable with text mode browsers, browsers which do not execute
  Javascript, and with screen readers and other accessibility
  software.  If the member of the Xen Project Security Team who
  processes your application finds that their usual web browser does
  not display the required information, when presented with the URLs
  in your email, your application might be delayed or even rejected.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.