[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security policy ambiguities - XSA-108 process post-mortem

On 10 Oct 2014, at 16:47, Jan Beulich <jbeulich@xxxxxxxx> wrote:
>>> Predisclosure list memembership
> This whole final section I completely agree with.
> There's one more thing I thought of btw: When we change the
> policy following whatever community input we gathered (not just
> now, but also in the future), people currently on the pre-disclosure
> list may (at least theoretically) end up no longer qualifying for
> being on the list. Shouldn't we
> - add some kind of statement to the effect of implicit agreement
>  to changed terms,
> - provide means for list members to be removed other than by
>  them asking for it?
> Jan

I also was wondering whether it would make sense to put a time-limit on 
applications. For example, we could say that processing an application will 
take 2 weeks. By doing so, we avoid having to handle applications as a response 
to media speculation. If we get an application wrong, and allow somebody wrong 
on the list who then discloses information related to an embargo, we would 
create risks for others already on the list. This would be the worst possible 
outcome for the project. Just a thought


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.