[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH v2 SECURITY-POLICY 6/9] Explicitly permit within-list information sharing during embargo
Permitting sharing of embargoed fixes amongst predisclosure list seemed to have appropriate consensus. IMPLEMENTATION TASKS: * Send a notification to the existing predisclosure list members informing them that they have been subscribed to the new list. Notice should point them to the policy section on filtering by List-Id, and offer to unsubscribe them from both lists if they prefer. * Create the new mailing list, and - check that it can be emailed from outside - that messages are held for moderation and can be approved Signed-off-by: Ian Jackson <ijackson@xxxxxxxxxxxxxxxxxxxxxx> Signed-off-by: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx> --- v2: Obfuscate -discuss@ list's full email address with <dot> and <span>. --- security_vulnerability_process.html | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/security_vulnerability_process.html b/security_vulnerability_process.html index de8fd44..2d32e51 100644 --- a/security_vulnerability_process.html +++ b/security_vulnerability_process.html @@ -224,6 +224,27 @@ situations are expected to be rare.</p> <p><em>NOTE:</em> Prior v2.2 of this policy (25 June 2014) it was permitted to also make available the allocated CVE number. This is no longer permitted in accordance with MITRE policy.</p> +<h3>Information-sharing amongst predisclosure list members</h3> +<p>Predisclosure list members are allowed to share fixes to embargoed issues, +analysis, etc., with the security teams of other list members. +Technical measures must be taken to prevents non-list-member +organisations, or unauthorised staff in list-member organisations, +from obtaining the embargoed materials.</p> +<p>The Xen Project provides the mailing list +<code>xen-security-issues-discuss@xxxxxxxxxxxxxxxx<do<span>t></span>org</code> +for this purpose. List members are encouraged to use it but +may share with other list members' security teams via other +channels.</p> +<p>The <code>-discuss</code> list's distribution is identical to that of the primary +predisclosure list <code>xen-security-issues</code>. Recipient organisations who +do not wish to receive all of the traffic on -discuss should use +recipient-side email filtering based on the provided <code>List-Id</code>.</p> +<p>The <code>-discuss</code> list is moderated by the Xen Project Security Team. +Announcements of private availability of fixed versions, and +technical messages about embargoed advisories, will be approved. +Messages dealing with policy matters will be rejected with a +reference to the Security Team contact address and/or public Xen +mailing lists.</p> <h3>Predisclosure list membership application process</h3> <p>Organisations who meet the criteria should contact predisclosure-applications@xenproject<d<span>ot</span>>org -- 1.7.10.4 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |