[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] RFC v2: Scope of Vulnerabilities for which XSAs are issued



On 15/02/17 09:44, Jan Beulich wrote:
>>>> On 14.02.17 at 18:25, <george.dunlap@xxxxxxxxxx> wrote:
>> 4. The security team will only issue an advisory if there is a known
>> combination of software in which the vulnerability can be exploited.
> 
> Considering the following text, perhaps "may" would end up a little
> less strict here than "can"? Or add "possibly"? Everything else looks
> good to me now, fwiw.

I understand your concern, I think: There are lots of situations that
won't be black-and-white (because of lack of knowledge), and this makes
it sound like we won't issue an advisory for any gray areas.

I don't think in this context "can" and "may" have significantly
different meanings in English.

How about:

4. The security team will only issue an advisory if there is a known
combination of software in which the vulnerability can be exploited, or
a significant risk that such a combination exists.

 -George


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.