[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217
Hello Thomas, Wednesday, June 27, 2012, 8:07:25 PM, you wrote: > Hi Ian, > Thanks for discussing this in a public way! > On 06/20/2012 02:16 AM, Ian Jackson wrote: >> We had one request from a public Xen cloud provider to be provided >> with predisclosure information. However it appeared to us that they >> didn't meet the size threshold in the process document. >> >> The size threshold is of course open to discussion. >> > I find the concept of "Xen Cloud provider size threshold" > quite anti competitive. Why would a bigger provider, would > be offered a substantial advantage over the smaller one? > On 06/20/2012 02:16 AM, Ian Jackson wrote: >> One particular issue here which also relates to the predisclosure >> membership criteria, is whether large indirect consumers of Xen should >> be on the predisclosure list in their own right. That would allow >> them to deploy the fix before the embargo date. It would also allow >> them to prepare for testing and deployment, before the fix is >> available from their vendor (who would in this scenario also be >> entitled to be a predisclosure list member). >> > And other hosting providers not in the list? They can be hacked and die, > while the big ones are safe? > Why wouldn't a smaller company know? Can *I* be in the predisclosure list? > If you reject me from such list, why? What's the procedure to be on such > list? I think it's all a trade-off between: A) Informing as much stakeholders as possible about the threat B) Not informing anyone with malicious intentions And the assumptions that have been made are: C) Employees of large companies have a small chance of having malicious intentions D) The risk of informing someone with a malicious intention rises when more people are included on the list Well while D would probably be true .. C) is indeed more questionable It's also the question if larger companies don't break the embargo by informing their customers who aren't on the list, with as end result a rumor spreading in public. On the other hand i see no ways to circumvent any of these, except by fixing the threat ASAP and keeping the embargo time as short as possible. > On 06/20/2012 05:45 PM, George Dunlap wrote: >> The only way this would work is if the predisclosure list consisted >> exclusively of software providers, and specifically excluded service >> providers. > I agree, though you might have corner cases. > What if you are *both* software and service provider (eg: I'm working on > Debian and XCP, and my small company provides a hosted Xen service)? > Cheers, > Thomas -- Best regards, Sander mailto:linux@xxxxxxxxxxxxxx _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |