[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Earlier embargoed pre-disclosure without patches

  • To: "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>
  • From: Major Hayden <major.hayden@xxxxxxxxxxxxx>
  • Date: Thu, 21 May 2015 13:03:43 +0000
  • Accept-language: en-US
  • Delivery-date: Thu, 21 May 2015 13:03:48 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xen.org>
  • Thread-index: AQHQk8aQyyrxxWOGekimr5xjugoNAg==
  • Thread-topic: Earlier embargoed pre-disclosure without patches
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello there,

I'd like to suggest a change to the Xen Security Problem Response Process[0].  
The section I'm concerned with is here:

> As discussed, we will negotiate with discoverers about disclosure schedule. 
> Our usual starting point for that negotiation, unless there are reasons to 
> diverge from this, would be:
> 
> One working week between notification arriving at security@xenproject and the 
> issue of our own advisory to our predisclosure list. We will use this time to 
> gather information and prepare our advisory, including required patches.

Would it be possible to send out a pre-disclosure notice as soon as permission 
is granted from the discoverer and the vulnerability is verified as valid?  In 
other words, could a pre-disclosure email be sent to parties on the 
pre-disclosure list *PRIOR* to patches being available?

There is a significant amount of value for larger organizations in receiving a 
notice earlier -- even if it's without patches -- so that preparations can be 
made.  As an example, v1 of a pre-disclosure email may discuss the 
vulnerability, affected versions, and potential impact without including 
patches.  Once patches are developed/tested, a v2 email could be released.  
This would give organizations more time to determine how much of their fleet is 
potentially vulnerable and develop a plan for patching or mitigation.

Thanks for reading this far.

[0] http://www.xenproject.org/security-policy.html

- --
Major Hayden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVXdeuAAoJEONAdDQ9I/mwqZIH/0oEIavQFBVd5/eR/EotcugR
/v3cii5bKIIOX1FPrBH8uWm7DGsix75u5fhBjSNsERwI+lWFfDNoWpMFVTcdWePt
urJyBJfdh5pTU216eUFxQeNeRLd/nkSVV+O0fgz26jcobLmf6OMB2Os7UdWFvlWv
DSG74M+FsCsroCSBFWpxrJq9UNfvwvI2BOVnLqnFbwDhEzcxTezK+ngRSdx0pv/X
sMO4jzvc66n3hFgh35NhpdWsH41nX7j7TGb+uskgQv4KjIoWebn2Hsvy5NjoX7L/
+8o3gB47gtSIzLE36Cyaul1koSDtOKntAK56Mku3Dh1o5PHOfcAxUPE+nBoEY6c=
=ku8v
-----END PGP SIGNATURE-----

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.