Xen project Mailing List

Re: [Xen-devel] Earlier embargoed pre-disclosure without patches

To: Jan Beulich <JBeulich@xxxxxxxx>

From: Major Hayden <major.hayden@xxxxxxxxxxxxx>

Date: Fri, 22 May 2015 13:14:18 +0000

Accept-language: en-US

Cc: "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>

Delivery-date: Fri, 22 May 2015 13:14:39 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

Thread-index: AQHQk8aQyyrxxWOGekimr5xjugoNAg==

Thread-topic: [Xen-devel] Earlier embargoed pre-disclosure without patches

On 05/22/2015 02:40 AM, Jan Beulich wrote: > I realize this is being written under the impression of XSA-133, where > the usual 2 week window between pre-disclosure and public disclosure > was (almost) missing. But that's an exception, not the rule. Are you > saying that the usual 2 week advance notice is not enough? Correct -- this came to light after the events around XSA-133. The two week window is an acceptable amount of time for pre-disclosure. However, from the timeline in the XSA-133 retrospective[1], the Xen security team was aware of the vulnerability on May 1 while the notification for the pre-disclosure list was held until May 11. It looks like there might have been two reasons for the delay: updated patches and permission from the discoverer for release. (This was my interpretation so please correct me if I read it incorrectly.) My request is that the Xen security team would send a pre-disclosure notice of the vulnerability as soon as permission from the discoverer is granted *even if* patches aren't available. For example, I'd like to receive a notice saying "there's a vulnerability, here's what we know about it, patches are forthcoming with additional information". That would allow for more preparation on the business side of more organizations. There are obvious technical challenges with these vulnerabilities but there are plenty of business-side preparations which need to be made (how to communicate with customers after embargo ends, deployment of test hardware, plans for staffing during patching periods). Many of these could get started prior to patches being available. Hopefully that makes sense. I'd rather receive an incomplete vulnerability report rather than wait for a fully complete report. [1] http://lists.xenproject.org/archives/html/xen-devel/2015-05/msg02872.html -- Major Hayden _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.