Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217

[Thomas Goirand <thomas@xxxxxxxxxx>]

On 06/29/2012 06:01 PM, George Dunlap wrote:
> On Wed, Jun 27, 2012 at 7:07 PM, Thomas Goirand <thomas@xxxxxxxxxx> wrote:
>> On 06/20/2012 05:45 PM, George Dunlap wrote:
>>> The only way this would work is if the predisclosure list consisted
>>> exclusively of software providers, and specifically excluded service
>>> providers.
>> I agree, though you might have corner cases.
>>
>> What if you are *both* software and service provider (eg: I'm working on
>> Debian and XCP, and my small company provides a hosted Xen service)?
> 
> If we do make a rule that only software providers can be on the list,
> and not service providers, then ideally you should try to separate the
> roles.  If you are on the list as a software provider, you should use
> that information only to prepare patches; but not deploy them on your
> own systems until the embargo date.
> 
> In a way, the question is very similar to asking, "I'm working on
> Debian and XCP, and my best friend owns a small company that provides
> a hosted Xen service."  If you told your friend about the
> vulnerability, you would be breaking the security embargo (and giving
> your friend an unfair advantage over other hosting services), and
> would be at risk of being removed from the list if someone found out.
> If you wear two "hats", as it were, the same would be true if your
> developer "hat" told your service provider "hat": actually updating
> your systems before the embargo would (I think) be considered breaking
> the embargo, and would be giving yourself an unfair advantage over
> other hosting services.
> 
> (All of the above discussion is, of course, only valid in the
> hypothetical situation that we don't allow service providers to be on
> the list.)
> 
>  -George

Exactly what I think as well. I'm happy you wrote the above.

Thomas

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel