[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH] Clean up minor inconsistency re public disclosure



Include a summary of both kinds of e-mail which may be sent to the
pre-disclosure list in the "Pre-disclosure list" section, before the
discussion of what is expected of pre-disclosure list members.  Also
make it consistently clear that the public disclosure will always be
sent to the pre-disclosure list.

Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxxxxx>
---
 security_vulnerability_process.html |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/security_vulnerability_process.html 
b/security_vulnerability_process.html
index 568279d..e305371 100644
--- a/security_vulnerability_process.html
+++ b/security_vulnerability_process.html
@@ -141,9 +141,7 @@ if(ns4)_d.write("<scr"+"ipt type=text/javascript 
src=/globals/mmenuns4.js><\/scr
     <p>Public advisories will be posted to xen-devel,
        xen-users and xen-annnounce and will be added to the
        <a href="http://wiki.xen.org/wiki/Security_Announcements";>Security 
Announcements wiki page</a>.</p>
-    <p>Copies will also be sent to the pre-disclosure list, unless
-       the advisory was already sent there previously during the embargo
-       period and has not been updated since.</p>
+    <p>Copies will also be sent to the pre-disclosure list.</p>
     </li>
 
     <li><p><b>Updates</b></p>
@@ -208,6 +206,11 @@ if(ns4)_d.write("<scr"+"ipt type=text/javascript 
src=/globals/mmenuns4.js><\/scr
     a case-by-case basis.</p>    
     <p>The list of entities on the pre-disclosure list is public. (Just the 
list
     of projects and organisations, not the actual email addresses.)</p>  
+    <p>If there is an embargo, the pre-disclosure list will receive
+    copies of the advisory and patches, with a clearly marked embargo
+    date, as soon as they are available.  The pre-disclosure list will
+    also receive copies of public advisories when they are first
+    issued or updated.</p>
     <p>Pre-disclosure list members are expected to maintain the confidentiality
     of the vulnerability up to the embargo date which security@xen have agreed
     with the discoverer.</p>    
@@ -229,7 +232,6 @@ if(ns4)_d.write("<scr"+"ipt type=text/javascript 
src=/globals/mmenuns4.js><\/scr
     <p>Organisations who meet the criteria should contact security@xen if they 
wish to receive pre-disclosure of advisories. Organisations should not request 
subscription via the mailing list web interface, any such subscription requests 
will be rejected and ignored.</p>
     <p>Normally we would prefer that a role address be used for each 
organisation, rather than one or more individual's direct email address. This 
helps to ensure that changes of personnel do not end up effectively dropping an 
organisation from the list</p>
 
-    <p>The pre-disclosure list will also receive copies of public advisories 
when they are first issued or updated.</p>
     
     <h3>Organizations on the pre-disclosure list:</h3>
     <p>This is a list of organisations on the pre-disclosure list
-- 
1.7.9.5


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.