Mailing List Archive

Earlier embargoed pre-disclosure without patches
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello there,

I'd like to suggest a change to the Xen Security Problem Response Process[0]. The section I'm concerned with is here:

> As discussed, we will negotiate with discoverers about disclosure schedule. Our usual starting point for that negotiation, unless there are reasons to diverge from this, would be:
>
> One working week between notification arriving at security@xenproject and the issue of our own advisory to our predisclosure list. We will use this time to gather information and prepare our advisory, including required patches.

Would it be possible to send out a pre-disclosure notice as soon as permission is granted from the discoverer and the vulnerability is verified as valid? In other words, could a pre-disclosure email be sent to parties on the pre-disclosure list *PRIOR* to patches being available?

There is a significant amount of value for larger organizations in receiving a notice earlier -- even if it's without patches -- so that preparations can be made. As an example, v1 of a pre-disclosure email may discuss the vulnerability, affected versions, and potential impact without including patches. Once patches are developed/tested, a v2 email could be released. This would give organizations more time to determine how much of their fleet is potentially vulnerable and develop a plan for patching or mitigation.

Thanks for reading this far.

[0] http://www.xenproject.org/security-policy.html

- --
Major Hayden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVXdeuAAoJEONAdDQ9I/mwqZIH/0oEIavQFBVd5/eR/EotcugR
/v3cii5bKIIOX1FPrBH8uWm7DGsix75u5fhBjSNsERwI+lWFfDNoWpMFVTcdWePt
urJyBJfdh5pTU216eUFxQeNeRLd/nkSVV+O0fgz26jcobLmf6OMB2Os7UdWFvlWv
DSG74M+FsCsroCSBFWpxrJq9UNfvwvI2BOVnLqnFbwDhEzcxTezK+ngRSdx0pv/X
sMO4jzvc66n3hFgh35NhpdWsH41nX7j7TGb+uskgQv4KjIoWebn2Hsvy5NjoX7L/
+8o3gB47gtSIzLE36Cyaul1koSDtOKntAK56Mku3Dh1o5PHOfcAxUPE+nBoEY6c=
=ku8v
-----END PGP SIGNATURE-----

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
Re: Earlier embargoed pre-disclosure without patches [ In reply to ]
>>> On 21.05.15 at 15:03, <major.hayden@rackspace.com> wrote:
> Would it be possible to send out a pre-disclosure notice as soon as
> permission is granted from the discoverer and the vulnerability is verified
> as valid? In other words, could a pre-disclosure email be sent to parties on
> the pre-disclosure list *PRIOR* to patches being available?
>
> There is a significant amount of value for larger organizations in receiving
> a notice earlier -- even if it's without patches -- so that preparations can be
> made. As an example, v1 of a pre-disclosure email may discuss the
> vulnerability, affected versions, and potential impact without including
> patches. Once patches are developed/tested, a v2 email could be released.
> This would give organizations more time to determine how much of their fleet
> is potentially vulnerable and develop a plan for patching or mitigation.

I realize this is being written under the impression of XSA-133, where
the usual 2 week window between pre-disclosure and public disclosure
was (almost) missing. But that's an exception, not the rule. Are you
saying that the usual 2 week advance notice is not enough?

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
Re: Earlier embargoed pre-disclosure without patches [ In reply to ]
On 05/22/2015 02:40 AM, Jan Beulich wrote:
> I realize this is being written under the impression of XSA-133, where
> the usual 2 week window between pre-disclosure and public disclosure
> was (almost) missing. But that's an exception, not the rule. Are you
> saying that the usual 2 week advance notice is not enough?

Correct -- this came to light after the events around XSA-133.

The two week window is an acceptable amount of time for pre-disclosure. However, from the timeline in the XSA-133 retrospective[1], the Xen security team was aware of the vulnerability on May 1 while the notification for the pre-disclosure list was held until May 11. It looks like there might have been two reasons for the delay: updated patches and permission from the discoverer for release. (This was my interpretation so please correct me if I read it incorrectly.)

My request is that the Xen security team would send a pre-disclosure notice of the vulnerability as soon as permission from the discoverer is granted *even if* patches aren't available. For example, I'd like to receive a notice saying "there's a vulnerability, here's what we know about it, patches are forthcoming with additional information".

That would allow for more preparation on the business side of more organizations. There are obvious technical challenges with these vulnerabilities but there are plenty of business-side preparations which need to be made (how to communicate with customers after embargo ends, deployment of test hardware, plans for staffing during patching periods). Many of these could get started prior to patches being available.

Hopefully that makes sense. I'd rather receive an incomplete vulnerability report rather than wait for a fully complete report.

[1] http://lists.xenproject.org/archives/html/xen-devel/2015-05/msg02872.html

--
Major Hayden

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
Re: Earlier embargoed pre-disclosure without patches [ In reply to ]
>>> On 22.05.15 at 15:14, <major.hayden@rackspace.com> wrote:
> My request is that the Xen security team would send a pre-disclosure notice
> of the vulnerability as soon as permission from the discoverer is granted
> *even if* patches aren't available. For example, I'd like to receive a
> notice saying "there's a vulnerability, here's what we know about it, patches
> are forthcoming with additional information".

If you were to ask for this only if the time gap until embargo expiry
was less than the default of two weeks, maybe I would buy this.

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
Re: Earlier embargoed pre-disclosure without patches [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 05/22/2015 09:04 AM, Jan Beulich wrote:
> If you were to ask for this only if the time gap until embargo expiry
> was less than the default of two weeks, maybe I would buy this.

I'm good with that as well. I think we're saying:

if embargo_length < 14d:
# XSA-133 situation
send_pre_disclosure_draft()
wait_for_patches()
elif embargo_length >= 14d and not patches_ready:
wait_for_patches()
else:
send_pre_disclosure_full()

Forgive my awful pseudo code. My coffee buffer is not yet full. ;)

- --
Major Hayden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVXzlKAAoJEONAdDQ9I/mwn+AH/RdzgY5LyejPZd1jRE9hmQFT
l83IYtTOJYdMfxbnf0OL+s/gVbJXQpTMRy/SqIselJ1WtIrKpaB4sWQLI0gzkc/d
SdP7Fuwfgwz0S1WElZade5gN7VdvsFjh9CfMm3om8hdEeLNHxWX2mcYhqhZw94Wm
tq2z9HQiU58KKcMU7g8rpN3MzjJyN032fWjKNMPLsTId882n1sCS/YQpfrVw8FHh
KIfAwiXVUdfen68I05VFT4jdf9cJXQ7UsBzecFpyh7kMIBf8+0hX++k7wi+JNNO0
/pREwRyHsHJGUnYwlZ5ONhcpNqHArFjjvHzyUmsbs9U8HO6n8OzskX+1+jh7E8I=
=7IIB
-----END PGP SIGNATURE-----

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
Re: Earlier embargoed pre-disclosure without patches [ In reply to ]
On Fri, 22 May 2015, Major Hayden wrote:
> On 05/22/2015 09:04 AM, Jan Beulich wrote:
> > If you were to ask for this only if the time gap until embargo expiry
> > was less than the default of two weeks, maybe I would buy this.
>
> I'm good with that as well. I think we're saying:
>
> if embargo_length < 14d:
> # XSA-133 situation
> send_pre_disclosure_draft()
> wait_for_patches()
> elif embargo_length >= 14d and not patches_ready:
> wait_for_patches()
> else:
> send_pre_disclosure_full()
>
> Forgive my awful pseudo code. My coffee buffer is not yet full. ;)

It makes sense to me. I can see the value for an organization with
thousands of servers to know about it in advance, regardless of the
patches, so that it can schedule the update work appropriately.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
Re: Earlier embargoed pre-disclosure without patches [ In reply to ]
On 05/26/2015 07:15 AM, Stefano Stabellini wrote:
> On Fri, 22 May 2015, Major Hayden wrote:
>> > On 05/22/2015 09:04 AM, Jan Beulich wrote:
>> >
>> > I'm good with that as well. I think we're saying:
>> >
>> > if embargo_length < 14d:
>> > # XSA-133 situation
>> > send_pre_disclosure_draft()
>> > wait_for_patches()
>> > elif embargo_length >= 14d and not patches_ready:
>> > wait_for_patches()
>> > else:
>> > send_pre_disclosure_full()
>> >
>> > Forgive my awful pseudo code. My coffee buffer is not yet full. ;)
> It makes sense to me. I can see the value for an organization with
> thousands of servers to know about it in advance, regardless of the
> patches, so that it can schedule the update work appropriately.

Thanks for the help, folks. I've tossed a proposed security policy change into a Github gist[1].

My proposal is to add this paragraph to the "Embargo and disclosure schedule" section of the Xen Security Policy[2]:

In the event that a two week embargo cannot be guaranteed,
we will send a draft with information about the vulnerability
to the pre-disclosure list as soon as possible, even if
patches have not yet been written or tested. An updated
draft will be sent to the pre-disclosure list once patches
become available.

I welcome any and all feedback. Thanks!

[1] https://gist.github.com/major/1a4f7ba7787b754845e9
[2] http://www.xenproject.org/security-policy.html

--
Major Hayden

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
Re: Earlier embargoed pre-disclosure without patches [ In reply to ]
On Tue, 26 May 2015, Major Hayden wrote:
> On 05/26/2015 07:15 AM, Stefano Stabellini wrote:
> > On Fri, 22 May 2015, Major Hayden wrote:
> >> > On 05/22/2015 09:04 AM, Jan Beulich wrote:
> >>> > > If you were to ask for this only if the time gap until embargo expiry
> >>> > > was less than the default of two weeks, maybe I would buy this.
> >> >
> >> > I'm good with that as well. I think we're saying:
> >> >
> >> > if embargo_length < 14d:
> >> > # XSA-133 situation
> >> > send_pre_disclosure_draft()
> >> > wait_for_patches()
> >> > elif embargo_length >= 14d and not patches_ready:
> >> > wait_for_patches()
> >> > else:
> >> > send_pre_disclosure_full()
> >> >
> >> > Forgive my awful pseudo code. My coffee buffer is not yet full. ;)
> > It makes sense to me. I can see the value for an organization with
> > thousands of servers to know about it in advance, regardless of the
> > patches, so that it can schedule the update work appropriately.
>
> Thanks for the help, folks. I've tossed a proposed security policy change into a Github gist[1].
>
> My proposal is to add this paragraph to the "Embargo and disclosure schedule" section of the Xen Security Policy[2]:
>
> In the event that a two week embargo cannot be guaranteed,
> we will send a draft with information about the vulnerability
> to the pre-disclosure list as soon as possible, even if
> patches have not yet been written or tested. An updated
> draft will be sent to the pre-disclosure list once patches
> become available.
>
> I welcome any and all feedback. Thanks!

I would go for:

In the event that public disclosure is less than 15 days away, we will
send a draft with information about the vulnerability to the
pre-disclosure list as soon as possible, even if patches have not yet
been written or tested. An updated draft will be sent to the
pre-disclosure list once patches become available.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
Re: Earlier embargoed pre-disclosure without patches [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 05/26/2015 11:50 AM, Stefano Stabellini wrote:
> I would go for:
>
> In the event that public disclosure is less than 15 days away, we will
> send a draft with information about the vulnerability to the
> pre-disclosure list as soon as possible, even if patches have not yet
> been written or tested. An updated draft will be sent to the
> pre-disclosure list once patches become available.

No objections here. +1

- --
Major Hayden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVZNi+AAoJEONAdDQ9I/mwCQMH/AzWPTcbymJ8JH2XIwzL4XOH
c5tZUak0nZ/KJQAeSrf2pWNDwOsglODu6F2zC53fbFFAR6a6TLhpTV13QTc+98tl
hFdlytPj3LaQbWX0pF4gy+L9TH/aPb8VEDziRrcXJ56qZyW1iFB60HkXKeRti7QA
EJydLDAQ/loet7ucb1HDjvYtLSGzYsaF0/cn9nrvuDcDG65uphEk3uVOH//ndV+f
bPZpxWtK9S9+ae1UP/qcQEOW+xFWVPdUDVMfg4TtsP11UTIndIhNX812TYZNvaqx
pjkSIVb6MM++Rb8Dfo8getpmS+ykmn5d7oEPBjku1n6QikkyFly0E/9kQ4uXI/Y=
=kbc5
-----END PGP SIGNATURE-----

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
Re: Earlier embargoed pre-disclosure without patches [ In reply to ]
(Just adding Lars so he is aware and can run the formal vote once we
have consensus on a proposal for new text)

On Tue, 2015-05-26 at 15:38 +0000, Major Hayden wrote:
> On 05/26/2015 07:15 AM, Stefano Stabellini wrote:
> > On Fri, 22 May 2015, Major Hayden wrote:
> >> > On 05/22/2015 09:04 AM, Jan Beulich wrote:
> >>> > > If you were to ask for this only if the time gap until embargo expiry
> >>> > > was less than the default of two weeks, maybe I would buy this.
> >> >
> >> > I'm good with that as well. I think we're saying:
> >> >
> >> > if embargo_length < 14d:
> >> > # XSA-133 situation
> >> > send_pre_disclosure_draft()
> >> > wait_for_patches()
> >> > elif embargo_length >= 14d and not patches_ready:
> >> > wait_for_patches()
> >> > else:
> >> > send_pre_disclosure_full()
> >> >
> >> > Forgive my awful pseudo code. My coffee buffer is not yet full. ;)
> > It makes sense to me. I can see the value for an organization with
> > thousands of servers to know about it in advance, regardless of the
> > patches, so that it can schedule the update work appropriately.
>
> Thanks for the help, folks. I've tossed a proposed security policy change into a Github gist[1].
>
> My proposal is to add this paragraph to the "Embargo and disclosure schedule" section of the Xen Security Policy[2]:
>
> In the event that a two week embargo cannot be guaranteed,
> we will send a draft with information about the vulnerability
> to the pre-disclosure list as soon as possible, even if
> patches have not yet been written or tested. An updated
> draft will be sent to the pre-disclosure list once patches
> become available.
>
> I welcome any and all feedback. Thanks!
>
> [1] https://gist.github.com/major/1a4f7ba7787b754845e9
> [2] http://www.xenproject.org/security-policy.html
>
> --
> Major Hayden
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
Re: Earlier embargoed pre-disclosure without patches [ In reply to ]
On 05/26/15 16:34, Major Hayden wrote:
> On 05/26/2015 11:50 AM, Stefano Stabellini wrote:
>> I would go for:
>
>> In the event that public disclosure is less than 15 days away, we will
>> send a draft with information about the vulnerability to the
>> pre-disclosure list as soon as possible, even if patches have not yet
>> been written or tested. An updated draft will be sent to the
>> pre-disclosure list once patches become available.
>
> No objections here. +1
>
>

Also looks good to me. +1

-Don Slutz

> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel
>
Re: Earlier embargoed pre-disclosure without patches [ In reply to ]
> On 26 May 2015, at 17:34, Stefano Stabellini <stefano.stabellini@eu.citrix.com> wrote:
>>
>> Thanks for the help, folks. I've tossed a proposed security policy change into a Github gist[1].
>>
>> My proposal is to add this paragraph to the "Embargo and disclosure schedule" section of the Xen Security Policy[2]:
>>
>> In the event that a two week embargo cannot be guaranteed,
>> we will send a draft with information about the vulnerability
>> to the pre-disclosure list as soon as possible, even if
>> patches have not yet been written or tested. An updated
>> draft will be sent to the pre-disclosure list once patches
>> become available.
>>
>> I welcome any and all feedback. Thanks!
>
> I would go for:
>
> In the event that public disclosure is less than 15 days away, we will
> send a draft with information about the vulnerability to the
> pre-disclosure list as soon as possible, even if patches have not yet
> been written or tested. An updated draft will be sent to the
> pre-disclosure list once patches become available.

I think the wording can be tightened.

There appear to be two sections which are relevant in http://www.xenproject.org/security-policy.html

---
== Embargo and disclosure schedule ==

If a vulnerability is not already public, we would like to notify significant distributors and operators of Xen so that they can prepare patched software in advance. This will help minimise the degree to which there are Xen users who are vulnerable but can't get patches.

As discussed, we will negotiate with discoverers about disclosure schedule. Our usual starting point for that negotiation, unless there are reasons to diverge from this, would be:

1. One working week between notification arriving at security@xenproject and the issue of our own advisory to our predisclosure list. We will use this time to gather information and prepare our advisory, including required patches.

2. Two working weeks between issue of our advisory to our predisclosure list and publication. When a discoverer reports a problem to us and requests longer delays than we would consider ideal, we will honour such a request if reasonable.

If a discoverer wants an accelerated disclosure compared to what we would prefer, we naturally do not have the power to insist that a discoverer waits for us to be ready and will honour the date specified by the discoverer.

Naturally, if a vulnerability is being exploited in the wild we will make immediately public release of the advisory and patch(es) and expect others to do likewise.

...

== Specific process ==
...
4. Advisory pre-release:

This occurs only if the advisory is embargoed (ie, the problem is not already public):

As soon as our advisory is available, we will send it, including patches, to members of the Xen security pre-disclosure list.

For more information about this list, see below. At this stage the advisory will be clearly marked with the embargo date.
...
6. Updates

If new information or better patches become available, or we discover mistakes, we may issue an amended (revision 2 or later) public advisory. This will also be sent to the pre-disclosure list.
...
---

I would want to propose to word the suggestion differently. Firstly: "An updated draft will be sent to the pre-disclosure list once patches become available." is already covered by 6 and not necessary. I would also like to propose to stick with "two working weeks" for consistency reasons.

The following change should suffice IMHO
---
== Specific process ==
...
4. Advisory pre-release:

This occurs only if the advisory is embargoed (ie, the problem is not already public):

As soon as our advisory is available, we will send it, including patches, to members of the Xen security pre-disclosure list.

In the event that we do not have a patch available two working weeks before the disclosure date, we will aim to send a draft of the advisory to the Xen security pre-disclosure list instead of a full advisory, and publish an updated advisory as soon as available.
---

Somebody may have to go over the new paragraph and fix grammar issues (sorry: very tired from long plane ride). We also have options: replace "will aim to" with "may"

Regards
Lars
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
Re: Earlier embargoed pre-disclosure without patches [ In reply to ]
On 05/27/2015 12:47 PM, Lars Kurth wrote:
> ...
> 4. Advisory pre-release:
>
> This occurs only if the advisory is embargoed (ie, the problem is not already public):
>
> As soon as our advisory is available, we will send it, including patches, to members of the Xen security pre-disclosure list.
>
> In the event that we do not have a patch available two working weeks before the disclosure date, we will aim to send a draft of the advisory to the Xen security pre-disclosure list instead of a full advisory, and publish an updated advisory as soon as available.
> ---

+1

I'm fine with this. Thanks, Lars.

--
Major Hayden

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel