[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security discussion: Summary of proposals and criteria (was Re: Security vulnerability process, and CVE-2012-0217)

To: Joanna Rutkowska <joanna@xxxxxxxxxxxxxxxxxxxxxx>
From: Tim Deegan <tim@xxxxxxx>
Date: Mon, 9 Jul 2012 14:51:01 +0100
Cc: Jan Beulich <JBeulich@xxxxxxxx>, Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>, Lars Kurth <lars.kurth@xxxxxxx>, Matt Wilson <msw@xxxxxxxxxx>
Delivery-date: Mon, 09 Jul 2012 13:51:33 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

At 13:31 +0200 on 09 Jul (1341840671), Joanna Rutkowska wrote:
> If you're into security industry (going to conferences, etc) you
> certainly know the right people who would be delight to buy exploits
> from you, believe me ;) Probably most Xen developers don't fit into this
> crowd, true, but then again, do you think it would be so hard for an
> interested organization to approach one of the Xen developers on the
> pre-disclousure list? How many would resist if they had a chance to cash
> in some 7-figure number for this (I read in the press that hot
> bugs/exploits sell for this amount actually)?

I think the argument is that an exploit that's going to be public (and
patched) in the next couple of weeks would not fetch the same kind of
price as a unknown attack that can be kept for later.

OTOH, I'm sure it's worth something for chance to get in early and
install a rootkit, or just crash your rivals' systems for the bad
publicity.

I'm not sure there's an enormous difference between a leaky
predisclosure list and full disclosure, but FWIW I'm in favour of 
(a) having a list, and (b) keeping the embargo at no more than two weeks.

Tim.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] Security discussion: Summary of proposals and criteria (was Re: Security vulnerability process, and CVE-2012-0217)
  - From: Joanna Rutkowska

References:
- [Xen-devel] Security discussion: Summary of proposals and criteria (was Re: Security vulnerability process, and CVE-2012-0217)
  - From: George Dunlap
- Re: [Xen-devel] Security discussion: Summary of proposals and criteria (was Re: Security vulnerability process, and CVE-2012-0217)
  - From: Joanna Rutkowska
- Re: [Xen-devel] Security discussion: Summary of proposals and criteria (was Re: Security vulnerability process, and CVE-2012-0217)
  - From: George Dunlap
- Re: [Xen-devel] Security discussion: Summary of proposals and criteria (was Re: Security vulnerability process, and CVE-2012-0217)
  - From: Joanna Rutkowska

Prev by Date: Re: [Xen-devel] Recommendations for backport from unstable to 4.1
Next by Date: Re: [Xen-devel] Security discussion: Summary of proposals and criteria (was Re: Security vulnerability process, and CVE-2012-0217)
Previous by thread: Re: [Xen-devel] Security discussion: Summary of proposals and criteria (was Re: Security vulnerability process, and CVE-2012-0217)
Next by thread: Re: [Xen-devel] Security discussion: Summary of proposals and criteria (was Re: Security vulnerability process, and CVE-2012-0217)
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.