[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Earlier embargoed pre-disclosure without patches

To: Major Hayden <major.hayden@xxxxxxxxxxxxx>
From: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
Date: Tue, 26 May 2015 17:34:56 +0100
Cc: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>
Delivery-date: Tue, 26 May 2015 16:50:50 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Tue, 26 May 2015, Major Hayden wrote:
> On 05/26/2015 07:15 AM, Stefano Stabellini wrote:
> > On Fri, 22 May 2015, Major Hayden wrote:
> >> > On 05/22/2015 09:04 AM, Jan Beulich wrote:
> >>> > > If you were to ask for this only if the time gap until embargo expiry
> >>> > > was less than the default of two weeks, maybe I would buy this.
> >> > 
> >> > I'm good with that as well.  I think we're saying:
> >> > 
> >> >   if embargo_length < 14d:
> >> >     # XSA-133 situation
> >> >     send_pre_disclosure_draft()
> >> >     wait_for_patches()
> >> >   elif embargo_length >= 14d and not patches_ready:
> >> >     wait_for_patches()
> >> >   else:
> >> >     send_pre_disclosure_full()
> >> > 
> >> > Forgive my awful pseudo code. My coffee buffer is not yet full. ;)
> > It makes sense to me. I can see the value for an organization with
> > thousands of servers to know about it in advance, regardless of the
> > patches, so that it can schedule the update work appropriately.
> 
> Thanks for the help, folks.  I've tossed a proposed security policy change 
> into a Github gist[1].
> 
> My proposal is to add this paragraph to the "Embargo and disclosure schedule" 
> section of the Xen Security Policy[2]:
> 
>     In the event that a two week embargo cannot be guaranteed,
>     we will send a draft with information about the vulnerability
>     to the pre-disclosure list as soon as possible, even if 
>     patches have not yet been written or tested.  An updated 
>     draft will be sent to the pre-disclosure list once patches
>     become available.
> 
> I welcome any and all feedback.  Thanks!

I would go for:

In the event that public disclosure is less than 15 days away, we will
send a draft with information about the vulnerability to the
pre-disclosure list as soon as possible, even if patches have not yet
been written or tested.  An updated draft will be sent to the
pre-disclosure list once patches become available.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] Earlier embargoed pre-disclosure without patches
  - From: Lars Kurth
- Re: [Xen-devel] Earlier embargoed pre-disclosure without patches
  - From: Major Hayden

References:
- [Xen-devel] Earlier embargoed pre-disclosure without patches
  - From: Major Hayden
- Re: [Xen-devel] Earlier embargoed pre-disclosure without patches
  - From: Jan Beulich
- Re: [Xen-devel] Earlier embargoed pre-disclosure without patches
  - From: Major Hayden
- Re: [Xen-devel] Earlier embargoed pre-disclosure without patches
  - From: Jan Beulich
- Re: [Xen-devel] Earlier embargoed pre-disclosure without patches
  - From: Major Hayden
- Re: [Xen-devel] Earlier embargoed pre-disclosure without patches
  - From: Stefano Stabellini
- Re: [Xen-devel] Earlier embargoed pre-disclosure without patches
  - From: Major Hayden

Prev by Date: Re: [Xen-devel] [PATCH V5] xen/vm_event: Clean up control-register-write vm_events and add XCR0 event
Next by Date: Re: [Xen-devel] [PATCH v2 for Xen 4.6 1/4] xen: enabling XL to set per-VCPU parameters of a domain for RTDS scheduler
Previous by thread: Re: [Xen-devel] Earlier embargoed pre-disclosure without patches
Next by thread: Re: [Xen-devel] Earlier embargoed pre-disclosure without patches
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.