[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH RFC] Make all public hosting providers eligible for the pre-disclosure list
As discussed on the xen-devel mailing list, allow any public hosting provider to join the pre-disclosure list: * Change "Large hosting providers" to "Public hosting providers" * Add rule of thumb for what "public hosting provider" means * Add an itemized list of information to be included in the application, to make expectations clear and (hopefully) applications more streamlined. NOTE: This RFC is meant to be a way to start a discussion on the exact wording which will be voted on. Once it has gone through review from the xen-devel mailing list, I will post an "RC" and announce it on the Xen blog, as well as on xen-users. Once discussion seems to have converged, I will post a "FINAL" one, which I will put up for a vote. Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxxxxx> --- security_vulnerability_process.html | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/security_vulnerability_process.html b/security_vulnerability_process.html index e305371..35236c9 100644 --- a/security_vulnerability_process.html +++ b/security_vulnerability_process.html @@ -194,16 +194,18 @@ if(ns4)_d.write("<scr"+"ipt type=text/javascript src=/globals/mmenuns4.js><\/scr addresses (ideally, role addresses) of the security response teams for significant Xen operators and distributors.</p> <p>This includes:<ul> - <li>Large-scale hosting providers;</li> + <li>Public hosting providers;</li> <li>Large-scale organisational users of Xen;</li> <li>Vendors of widely-deployed Xen-based systems;</li> <li>Distributors of widely-deployed operating systems with Xen support.</li> </ul></p> <p>This includes both corporations and community institutions.</p> - <p>Here as a rule of thumb "large scale" and "widely deployed" means an - installed base of 300,000 or more Xen guests; other well-established - organisations with a mature security response process will be considered on - a case-by-case basis.</p> + <p>Here as a rule of thumb, "public hosting provider" means + "selling virtualization services to the general public"; + "large-scale" and "widely deployed" means an installed base of + 300,000 or more Xen guests. Other well-established organisations + with a mature security response process will be considered on a + case-by-case basis.</p> <p>The list of entities on the pre-disclosure list is public. (Just the list of projects and organisations, not the actual email addresses.)</p> <p>If there is an embargo, the pre-disclosure list will receive @@ -229,8 +231,19 @@ if(ns4)_d.write("<scr"+"ipt type=text/javascript src=/globals/mmenuns4.js><\/scr <li>The planned disclosure date</li> </ul></p> - <p>Organisations who meet the criteria should contact security@xen if they wish to receive pre-disclosure of advisories. Organisations should not request subscription via the mailing list web interface, any such subscription requests will be rejected and ignored.</p> - <p>Normally we would prefer that a role address be used for each organisation, rather than one or more individual's direct email address. This helps to ensure that changes of personnel do not end up effectively dropping an organisation from the list</p> + <p>Organisations who meet the criteria should contact security@xen + if they wish to receive pre-disclosure of advisories. Please + include in the e-mail: <ul> + <li>The name of your organization</li> + <li>A brief description of why you fit the criteria</li> + <li>A security alias e-mail address (see below)</li> + <li>A web page with your security policy statement</li> + <li>If you are a public hosting provider, a web page with your public rates</li> + </ul> + Organisations should not request subscription via the mailing + list web interface, any such subscription requests will be + rejected and ignored.</p> + <p>We prefer that a role address be used for each organisation, rather than one or more individual's direct email address. This helps to ensure that changes of personnel do not end up effectively dropping an organisation from the list</p> <h3>Organizations on the pre-disclosure list:</h3> -- 1.7.9.5 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |