[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH v2 SECURITY-POLICY 8/9] Clarify what announcements may be made by to service users
Service provider list members should not be prevented from being reasonably honest with their users. Signed-off-by: Ian Jackson <ijackson@xxxxxxxxxxxxxxxxxxxxxx> Signed-off-by: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx> --- security_vulnerability_process.html | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/security_vulnerability_process.html b/security_vulnerability_process.html index 7412652..3b9c1ba 100644 --- a/security_vulnerability_process.html +++ b/security_vulnerability_process.html @@ -222,6 +222,14 @@ restrictions only insofar as it is necessary to prevent the exposure of technicalities (for example, differences in behaviour) which present a significant risk of rediscovery of the vulnerability. Such situations are expected to be rare.</p> +<p>Where the list member is a service provider who intends to take +disruptive action such as rebooting as part of deploying a fix: the +list member's communications to its users about the service disruption +may mention that the disruption is to correct a security issue, and +relate it to the public information about the issue (as listed above). +This applies whether the deployment occurs during the embargo (with +permission - see above) or is planned for after the end of the +embargo.</p> <p><em>NOTE:</em> Prior v2.2 of this policy (25 June 2014) it was permitted to also make available the allocated CVE number. This is no longer permitted in accordance with MITRE policy.</p> -- 1.7.10.4 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |