[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Security disclosure process discussion update

OK, I've updated the section to make it clear that organizations are
committing to the disclosure policy and agree to ensure that their
members who come in contact with it abide by the policy.

I think we're probably ready for the normal vote starting 15 April.


On Mon, Dec 17, 2012 at 12:58 PM, George Dunlap
<George.Dunlap@xxxxxxxxxxxxx> wrote:
> After concluding our poll [1] about changes to the security
> discussion, we determined that "Pre-disclosure to software vendors and
> a wide set of users" was probably the best fit for the community.  A
> set of concrete changes to the policy have now been discussed on
> xen-devel [2] [3], and we seem to have converged on something everyone
> finds acceptable.
> We are now presenting these changes for public review.  The purpose of
> this review process is to allow feedback on the text which will be
> voted on, in accordance to the Xen.org governance procedure [3].  Our
> plan is to leave this up for review until the third week in January.
> Any substantial updates will be mentioned on the blog and will extend
> the review time.
> All feedback and discussion should happen in public on the xen-devel
> mailing list.  If you have any suggestions for how to improve the
> proposal, please e-mail the list, and cc George Dunlap (george dot
> dunlap at citrix.com).
> = Summary of the updates =
> As discussed on the xen-devel mailing list, expand eligibility of the
> pre-disclosure list to include any public hosting provider, as well
> as software project:
> * Change "Large hosting providers" to "Public hosting providers"
> * Remove "widely-deployed" from vendors and distributors
> * Add rules of thumb for what constitutes "genuine"
> * Add an itemized list of information to be included in the application,
> to make expectations clear and (hopefully) applications more streamlined.
> The first will allow hosting providers of any size to join.
> The second will allow software projects and vendors of any size to join.
> The third and fourth will help describe exactly what criteria will be used
> to
> determine eligibility for 1 and 2.
> Additionally, this proposal adds the following requirements:
> * Applicants and current members must use an e-mail alias, not an
> individual's
> e-mail
> * Applicants and current members must submit a statement saying that they
> have
> read, understand, and will abide by this process document.
> The new policy in its entirety can be found here:
> http://wiki.xen.org/wiki/Security_vulnerability_process_draft
> For comparison, the current policy can be found here:
> http://www.xen.org/projects/security_vulnerability_process.html
> [1]
> http://blog.xen.org/index.php/2012/08/23/disclosure-process-poll-results/
> [2] http://marc.info/?l=xen-devel&m=135300020310446
> [3] http://marc.info/?l=xen-devel&m=135455914107182
> [4] http://www.xen.org/projects/governance.html

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.