[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH][security policy] embargo control and crediting of discoverer

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Thu, 8 Jan 2026 15:37:53 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UFxlg3C3/h5QhHvzxIVc31OMINZ3mt91RFw85ov5sAY=; b=NnMokkGfkNRk67wswtOL8nEnLgmvE4KwwlafHtDFqmswuHHzJof+xZdtnhAKhQmscwOq08JVt+aOVK1kBclMr+YiL8Cqvoja89u/erjFPuox3KMR3b+G1RYWm72zrDcmTmh1/wt98t0ztZctFfvE4DBsphHYoq3FTUEBH0bV39OXZRNK0q4dW+oIRuX7DyUD3d1x4sD/9ICswmoNGtV3tEFO6e4FNR7uz1VvlOyqnoMuzWOvk5GTu9y6hod8QzsU5PmnT0pdpLiHQVKysbE5zUfzXJvoWB/gOkW9ymzszFWepMQRv3wdMGH7w1Jc2Wgh/jzwrsIEmLawJHxo5xNusQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ov//o4MfcqhkQhcPOgI4h8Yh3zKq1dAxKKUXF/9JDdMcpunBV0JAoQuU49VFwKuNkkeyEktNvzLGuh73jOTask7qAevDit9Sa2rUbPXcpVKFQWQtlt4jX1TI01KHwQtdbNNteIsKPtdGR2lXRuqxXizKWGVjMufDBZONi5nX4xVVMnUJZwnMCIwkIwYkyLAwA2movQgOeYkgNPGKqMB/9y8zWmDmg4V2LOh92zZ2vVmCA8xG8v/u1RDVi44uJiLc9zpms2vdH5NePXQZvjdMWMMv28aVi/uF0NZQa0clR24/fogmIowEkR4ZBOJUn/r93doIskwJ8Y6nsEnyCQ/8MQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, "committers@xxxxxxxxxxxxxx" <committers@xxxxxxxxxxxxxx>, "community.manager@xxxxxxxxxxxxxx" <community.manager@xxxxxxxxxxxxxx>
  • Delivery-date: Thu, 08 Jan 2026 14:38:10 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Tue, Dec 23, 2025 at 06:03:25PM +0100, Jan Beulich wrote:
> This is as per discussion at an earlier Community Call.
> 
> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>

Acked-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>

> ---
> Btw, what does "(b)-(f)" refer to under "Specific Process", item 3, sub-
> item 5?
> 
> --- content/about/security-policy.md
> +++ content/about/security-policy.md
> @@ -103,6 +103,8 @@ Vulnerabilities reported against other X
>  
>      At this stage the advisory will be clearly marked with the embargo date.
>  
> +    Unless requested otherwise, the discoverer will be credited already with 
> the pre-release.
> +
>  5.  **Advisory public release:**At the embargo date we will publish the 
> advisory, and push bugfix changesets to public revision control trees.Public 
> advisories will be posted to xen-devel, xen-users and xen-annnounce and will 
> be added to the [Security Announcements Page](http://xenbits.xen.org/xsa/) 
> (note that Advisories before XSA-26 were published 
> [here](http://wiki.xenproject.org/wiki/Security_Announcements_%28Historical%29))
>  . Copies will also be sent to the pre-disclosure list.
>  6.  **Updates**If new information or better patches become available, or we 
> discover mistakes, we may issue an amended (revision 2 or later) public 
> advisory. This will also be sent to the pre-disclosure list.
>  7.  **Post embargo transparency:**During an embargo period the Security 
> Response Team may be required to make potentially controverial decisions in 
> private, since they cannot confer with the community without breaking the 
> embargo. The Security Response Team will attempt to make such decisions 
> following the guidance of this document and where necessary their own best 
> judgement. Following the embargo period any such decisions will be disclosed 
> to the community in the interests of transparency and to help provide 
> guidance should a similar decision be required in the future.
> @@ -118,6 +120,8 @@ As discussed, we will negotiate with dis
>  
>  When a discoverer reports a problem to us and requests longer delays than we 
> would consider ideal, we will honour such a request if reasonable. If a 
> discoverer wants an accelerated disclosure compared to what we would prefer, 
> we naturally do not have the power to insist that a discoverer waits for us 
> to be ready and will honour the date specified by the discoverer.
>  
> +In any event at the time of pre-disclosure control over a possible late 
> change of the public disclosure date moves from the discoverer to the 
> Security Response Team. This is to avoid pre-disclosure list members putting 
> pressure on the individual to extend or shorten the embargo.

I would maybe add a comma between pre-disclosure and control and
clarify that after pre-disclosure it's always under the control of the
security team:

"In any event at or after the time of pre-disclosure, control over a possible 
late change ..."

I'm not specially fuzzed anyway.

Thanks, Roger.

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.