[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Earlier embargoed pre-disclosure without patches

  • To: "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>
  • From: Major Hayden <major.hayden@xxxxxxxxxxxxx>
  • Date: Thu, 21 May 2015 13:03:43 +0000
  • Accept-language: en-US
  • Delivery-date: Thu, 21 May 2015 13:03:48 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xen.org>
  • Thread-index: AQHQk8aQyyrxxWOGekimr5xjugoNAg==
  • Thread-topic: Earlier embargoed pre-disclosure without patches

Hash: SHA256

Hello there,

I'd like to suggest a change to the Xen Security Problem Response Process[0].  
The section I'm concerned with is here:

> As discussed, we will negotiate with discoverers about disclosure schedule. 
> Our usual starting point for that negotiation, unless there are reasons to 
> diverge from this, would be:
> One working week between notification arriving at security@xenproject and the 
> issue of our own advisory to our predisclosure list. We will use this time to 
> gather information and prepare our advisory, including required patches.

Would it be possible to send out a pre-disclosure notice as soon as permission 
is granted from the discoverer and the vulnerability is verified as valid?  In 
other words, could a pre-disclosure email be sent to parties on the 
pre-disclosure list *PRIOR* to patches being available?

There is a significant amount of value for larger organizations in receiving a 
notice earlier -- even if it's without patches -- so that preparations can be 
made.  As an example, v1 of a pre-disclosure email may discuss the 
vulnerability, affected versions, and potential impact without including 
patches.  Once patches are developed/tested, a v2 email could be released.  
This would give organizations more time to determine how much of their fleet is 
potentially vulnerable and develop a plan for patching or mitigation.

Thanks for reading this far.

[0] http://www.xenproject.org/security-policy.html

- --
Major Hayden
Version: GnuPG v2


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.