|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH 1/6] Clarify what info predisclosure list members may share during an embargo
See <20448.49637.38489.246434@xxxxxxxxxxxxxxxxxxxxxxxx>, section
"7. Public communications during the embargo period"
---
security_vulnerability_process.html | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/security_vulnerability_process.html
b/security_vulnerability_process.html
index d1a6629..eff108a 100644
--- a/security_vulnerability_process.html
+++ b/security_vulnerability_process.html
@@ -195,9 +195,17 @@ if(ns4)_d.write("<scr"+"ipt type=text/javascript
src=/globals/mmenuns4.js><\/scr
should not make available, even to their own customers and partners:<ul>
<li>the Xen.org advisory</li>
<li>their own advisory</li>
+ <li>the impact, scope, set of vulnerable systems or the nature
+ of the vulnerability</li>
<li>revision control commits which are a fix for the problem</li>
<li>patched software (even in binary form) without prior consultation
with security@xen and/or the discoverer.</li>
</ul></p>
+ <p>List members are allowed to make available to their users only the
following:<ul>
+ <li>The existance of an issue</li>
+ <li>The assigned XSA and CVE numbers</li>
+ <li>The planned disclosure date</li>
+ </ul></p>
+
<p>Organisations who meet the criteria should contact security@xen if they
wish to receive pre-disclosure of advisories.</p>
<p>The pre-disclosure list will also receive copies of public advisories
when they are first issued or updated.</p>
--
1.7.10.4
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |