-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello there,
I'd like to suggest a change to the Xen Security Problem Response Process[0]. The section I'm concerned with is here:
> As discussed, we will negotiate with discoverers about disclosure schedule. Our usual starting point for that negotiation, unless there are reasons to diverge from this, would be:
>
> One working week between notification arriving at security@xenproject and the issue of our own advisory to our predisclosure list. We will use this time to gather information and prepare our advisory, including required patches.
Would it be possible to send out a pre-disclosure notice as soon as permission is granted from the discoverer and the vulnerability is verified as valid? In other words, could a pre-disclosure email be sent to parties on the pre-disclosure list *PRIOR* to patches being available?
There is a significant amount of value for larger organizations in receiving a notice earlier -- even if it's without patches -- so that preparations can be made. As an example, v1 of a pre-disclosure email may discuss the vulnerability, affected versions, and potential impact without including patches. Once patches are developed/tested, a v2 email could be released. This would give organizations more time to determine how much of their fleet is potentially vulnerable and develop a plan for patching or mitigation.
Thanks for reading this far.
[0] http://www.xenproject.org/security-policy.html
- --
Major Hayden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVXdeuAAoJEONAdDQ9I/mwqZIH/0oEIavQFBVd5/eR/EotcugR
/v3cii5bKIIOX1FPrBH8uWm7DGsix75u5fhBjSNsERwI+lWFfDNoWpMFVTcdWePt
urJyBJfdh5pTU216eUFxQeNeRLd/nkSVV+O0fgz26jcobLmf6OMB2Os7UdWFvlWv
DSG74M+FsCsroCSBFWpxrJq9UNfvwvI2BOVnLqnFbwDhEzcxTezK+ngRSdx0pv/X
sMO4jzvc66n3hFgh35NhpdWsH41nX7j7TGb+uskgQv4KjIoWebn2Hsvy5NjoX7L/
+8o3gB47gtSIzLE36Cyaul1koSDtOKntAK56Mku3Dh1o5PHOfcAxUPE+nBoEY6c=
=ku8v
-----END PGP SIGNATURE-----
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
Hash: SHA256
Hello there,
I'd like to suggest a change to the Xen Security Problem Response Process[0]. The section I'm concerned with is here:
> As discussed, we will negotiate with discoverers about disclosure schedule. Our usual starting point for that negotiation, unless there are reasons to diverge from this, would be:
>
> One working week between notification arriving at security@xenproject and the issue of our own advisory to our predisclosure list. We will use this time to gather information and prepare our advisory, including required patches.
Would it be possible to send out a pre-disclosure notice as soon as permission is granted from the discoverer and the vulnerability is verified as valid? In other words, could a pre-disclosure email be sent to parties on the pre-disclosure list *PRIOR* to patches being available?
There is a significant amount of value for larger organizations in receiving a notice earlier -- even if it's without patches -- so that preparations can be made. As an example, v1 of a pre-disclosure email may discuss the vulnerability, affected versions, and potential impact without including patches. Once patches are developed/tested, a v2 email could be released. This would give organizations more time to determine how much of their fleet is potentially vulnerable and develop a plan for patching or mitigation.
Thanks for reading this far.
[0] http://www.xenproject.org/security-policy.html
- --
Major Hayden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVXdeuAAoJEONAdDQ9I/mwqZIH/0oEIavQFBVd5/eR/EotcugR
/v3cii5bKIIOX1FPrBH8uWm7DGsix75u5fhBjSNsERwI+lWFfDNoWpMFVTcdWePt
urJyBJfdh5pTU216eUFxQeNeRLd/nkSVV+O0fgz26jcobLmf6OMB2Os7UdWFvlWv
DSG74M+FsCsroCSBFWpxrJq9UNfvwvI2BOVnLqnFbwDhEzcxTezK+ngRSdx0pv/X
sMO4jzvc66n3hFgh35NhpdWsH41nX7j7TGb+uskgQv4KjIoWebn2Hsvy5NjoX7L/
+8o3gB47gtSIzLE36Cyaul1koSDtOKntAK56Mku3Dh1o5PHOfcAxUPE+nBoEY6c=
=ku8v
-----END PGP SIGNATURE-----
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel