Re: [Xen-devel] Earlier embargoed pre-disclosure without patches

["Jan Beulich" <JBeulich@xxxxxxxx>]

>>> On 21.05.15 at 15:03, <major.hayden@xxxxxxxxxxxxx> wrote:
> Would it be possible to send out a pre-disclosure notice as soon as 
> permission is granted from the discoverer and the vulnerability is verified 
> as valid?  In other words, could a pre-disclosure email be sent to parties on 
> the pre-disclosure list *PRIOR* to patches being available?
> 
> There is a significant amount of value for larger organizations in receiving 
> a notice earlier -- even if it's without patches -- so that preparations can 
> be 
> made.  As an example, v1 of a pre-disclosure email may discuss the 
> vulnerability, affected versions, and potential impact without including 
> patches.  Once patches are developed/tested, a v2 email could be released.  
> This would give organizations more time to determine how much of their fleet 
> is potentially vulnerable and develop a plan for patching or mitigation.

I realize this is being written under the impression of XSA-133, where
the usual 2 week window between pre-disclosure and public disclosure
was (almost) missing. But that's an exception, not the rule. Are you
saying that the usual 2 week advance notice is not enough?

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel