[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] RFC v2: Scope of Vulnerabilities for which XSAs are issued
On 15/02/17 09:44, Jan Beulich wrote: >>>> On 14.02.17 at 18:25, <george.dunlap@xxxxxxxxxx> wrote: >> 4. The security team will only issue an advisory if there is a known >> combination of software in which the vulnerability can be exploited. > > Considering the following text, perhaps "may" would end up a little > less strict here than "can"? Or add "possibly"? Everything else looks > good to me now, fwiw. I understand your concern, I think: There are lots of situations that won't be black-and-white (because of lack of knowledge), and this makes it sound like we won't issue an advisory for any gray areas. I don't think in this context "can" and "may" have significantly different meanings in English. How about: 4. The security team will only issue an advisory if there is a known combination of software in which the vulnerability can be exploited, or a significant risk that such a combination exists. -George _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |