Re: [Xen-devel] Possible improvement to Xen Security Response Process

["Jan Beulich" <JBeulich@xxxxxxxx>]

>>> On 20.01.17 at 20:21, <ijackson@xxxxxxxxxxxxxxxxxxxxxx> wrote:
> James Bulpin writes ("Re: [Xen-devel] Possible improvement to Xen Security 
> Response Process"):
>> , and the issue is considered to be of significant urgency due
>> to its severity, then the fourth Tuesday in the month should be
>> considered so long as this allows for a 14 day pre-disclosure
>> period" (or something like that).
> 
> I agree with Jan that this fuzziness is undesirable.  Also, more
> severe vulnerabilities are both more urgent to fix, and also have
> worse impact if released before people are ready, so severity is the
> wrong measure.  If there is any kind of measure that is relevant it is
> difficulty.
> 
> I'm writing here mostly with my personal hat, but my security team hat
> really dislikes ambiguity like this.  It leads to unclear
> decisionmaking and side discussions.
> 
> I would like the policy to specify a clear cutoff.  Jan, are you
> comfortable with a "default" of between 2 and 4 weeks' embargo,
> depending on the timing of the discovery etc. ?  Personally I think a
> 4 week maximum seems rather long, but with a 2 week cadence that can't
> be reduced without also shortening the 2 week minimum.  The range 2-4
> weeks seems like a plausible compromise.

Well, 4 weeks seems pretty much to me too. Especially during calm
periods I wonder if it wasn't better to limit the embargo period by
simply promising to have a minimum distance of two weeks between
public disclosures.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel