[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Earlier embargoed pre-disclosure without patches

On 05/22/2015 02:40 AM, Jan Beulich wrote:
> I realize this is being written under the impression of XSA-133, where
> the usual 2 week window between pre-disclosure and public disclosure
> was (almost) missing. But that's an exception, not the rule. Are you
> saying that the usual 2 week advance notice is not enough?

Correct -- this came to light after the events around XSA-133.

The two week window is an acceptable amount of time for pre-disclosure.  
However, from the timeline in the XSA-133 retrospective[1], the Xen security 
team was aware of the vulnerability on May 1 while the notification for the 
pre-disclosure list was held until May 11.  It looks like there might have been 
two reasons for the delay: updated patches and permission from the discoverer 
for release.  (This was my interpretation so please correct me if I read it 

My request is that the Xen security team would send a pre-disclosure notice of 
the vulnerability as soon as permission from the discoverer is granted *even 
if* patches aren't available.  For example, I'd like to receive a notice saying 
"there's a vulnerability, here's what we know about it, patches are forthcoming 
with additional information".

That would allow for more preparation on the business side of more 
organizations.  There are obvious technical challenges with these 
vulnerabilities but there are plenty of business-side preparations which need 
to be made (how to communicate with customers after embargo ends, deployment of 
test hardware, plans for staffing during patching periods).  Many of these 
could get started prior to patches being available.

Hopefully that makes sense.  I'd rather receive an incomplete vulnerability 
report rather than wait for a fully complete report.

[1] http://lists.xenproject.org/archives/html/xen-devel/2015-05/msg02872.html

Major Hayden

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.