[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Earlier embargoed pre-disclosure without patches

On 05/26/2015 07:15 AM, Stefano Stabellini wrote:
> On Fri, 22 May 2015, Major Hayden wrote:
>> > On 05/22/2015 09:04 AM, Jan Beulich wrote:
>>> > > If you were to ask for this only if the time gap until embargo expiry
>>> > > was less than the default of two weeks, maybe I would buy this.
>> > 
>> > I'm good with that as well.  I think we're saying:
>> > 
>> >   if embargo_length < 14d:
>> >     # XSA-133 situation
>> >     send_pre_disclosure_draft()
>> >     wait_for_patches()
>> >   elif embargo_length >= 14d and not patches_ready:
>> >     wait_for_patches()
>> >   else:
>> >     send_pre_disclosure_full()
>> > 
>> > Forgive my awful pseudo code. My coffee buffer is not yet full. ;)
> It makes sense to me. I can see the value for an organization with
> thousands of servers to know about it in advance, regardless of the
> patches, so that it can schedule the update work appropriately.

Thanks for the help, folks.  I've tossed a proposed security policy change into 
a Github gist[1].

My proposal is to add this paragraph to the "Embargo and disclosure schedule" 
section of the Xen Security Policy[2]:

    In the event that a two week embargo cannot be guaranteed,
    we will send a draft with information about the vulnerability
    to the pre-disclosure list as soon as possible, even if 
    patches have not yet been written or tested.  An updated 
    draft will be sent to the pre-disclosure list once patches
    become available.

I welcome any and all feedback.  Thanks!

[1] https://gist.github.com/major/1a4f7ba7787b754845e9
[2] http://www.xenproject.org/security-policy.html

Major Hayden

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.