[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH RFC] Make all public hosting providers eligible for the pre-disclosure list

Hi,

Firstly I would like to say that it's great this conversation is
happening on the open list and that a wider set of organisations are
being considered.

On 16 November 2012 04:14, George Dunlap <george.dunlap@xxxxxxxxxxxxx> wrote:
> As discussed on the xen-devel mailing list, allow any public hosting
> provider to join the pre-disclosure list:
> * Change "Large hosting providers" to "Public hosting providers"
> * Add rule of thumb for what "public hosting provider" means
> * Add an itemized list of information to be included in the application,
> to make expectations clear and (hopefully) applications more streamlined.

As a smaller but more specialized hosting provider (security concious
clientèle) I am really glad to hear this.

I think important information that should be forthcoming from service
providers wanting to join the pre-disclosure group would be:

a) How they consume Xen, be it via a vendor, distro packages of some
kind or whether they build and package their own. Those doing their
own packaging I feel should be given somewhat of a priority because
they aren't able to rely on their vendor and instead must dedicate
resources to responding.
b) Their upgrade and security response procedures. It doesn't make
sense for someone to be on the pre-disclosure list if they lack the
ability (or more importantly the requirement) to aggressively test and
push out security fixes.
c) Resources available to assist in testing security patches. This
might be a non-issue but I personally think it's somewhat important
that groups on the pre-disclosure list are able to assist in testing
or reviewing patches, this improves the quality of said patches and
might allow a greater degree of vulnerability exploration. This is
however, largely my own opinion on what is considered fair
contribution in return for the privilege.

I think there should also be appropriate "guideline" points/criteria
that should be covered by other categories of organisations seeking to
join the pre-disclosure group.

Sorry if ideas along the lines of these have already been raised.

>
> NOTE: This RFC is meant to be a way to start a discussion on the exact
> wording which will be voted on.  Once it has gone through review from
> the xen-devel mailing list, I will post an "RC" and announce it on the
> Xen blog, as well as on xen-users.  Once discussion seems to have
> converged, I will post a "FINAL" one, which I will put up for a vote.
>
> Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxxxxx>
> ---
>  security_vulnerability_process.html |   27 ++++++++++++++++++++-------
>  1 file changed, 20 insertions(+), 7 deletions(-)
>
> diff --git a/security_vulnerability_process.html 
> b/security_vulnerability_process.html
> index e305371..35236c9 100644
> --- a/security_vulnerability_process.html
> +++ b/security_vulnerability_process.html
> @@ -194,16 +194,18 @@ if(ns4)_d.write("<scr"+"ipt type=text/javascript 
> src=/globals/mmenuns4.js><\/scr
>      addresses (ideally, role addresses) of the security response teams for
>      significant Xen operators and distributors.</p>
>      <p>This includes:<ul>
> -      <li>Large-scale hosting providers;</li>
> +      <li>Public hosting providers;</li>
>        <li>Large-scale organisational users of Xen;</li>
>        <li>Vendors of widely-deployed Xen-based systems;</li>
>        <li>Distributors of widely-deployed operating systems with Xen 
> support.</li>
>      </ul></p>
>      <p>This includes both corporations and community institutions.</p>
> -    <p>Here as a rule of thumb "large scale" and "widely deployed" means an
> -    installed base of 300,000 or more Xen guests; other well-established
> -    organisations with a mature security response process will be considered 
> on
> -    a case-by-case basis.</p>
> +    <p>Here as a rule of thumb, "public hosting provider" means
> +    "selling virtualization services to the general public";
> +    "large-scale" and "widely deployed" means an installed base of
> +    300,000 or more Xen guests.  Other well-established organisations
> +    with a mature security response process will be considered on a
> +    case-by-case basis.</p>
>      <p>The list of entities on the pre-disclosure list is public. (Just the 
> list
>      of projects and organisations, not the actual email addresses.)</p>
>      <p>If there is an embargo, the pre-disclosure list will receive
> @@ -229,8 +231,19 @@ if(ns4)_d.write("<scr"+"ipt type=text/javascript 
> src=/globals/mmenuns4.js><\/scr
>         <li>The planned disclosure date</li>
>      </ul></p>
>
> -    <p>Organisations who meet the criteria should contact security@xen if 
> they wish to receive pre-disclosure of advisories. Organisations should not 
> request subscription via the mailing list web interface, any such 
> subscription requests will be rejected and ignored.</p>
> -    <p>Normally we would prefer that a role address be used for each 
> organisation, rather than one or more individual's direct email address. This 
> helps to ensure that changes of personnel do not end up effectively dropping 
> an organisation from the list</p>
> +    <p>Organisations who meet the criteria should contact security@xen
> +      if they wish to receive pre-disclosure of advisories.  Please
> +      include in the e-mail: <ul>
> +       <li>The name of your organization</li>
> +       <li>A brief description of why you fit the criteria</li>
> +       <li>A security alias e-mail address (see below)</li>
> +       <li>A web page with your security policy statement</li>
> +       <li>If you are a public hosting provider, a web page with your public 
> rates</li>
> +      </ul>
> +      Organisations should not request subscription via the mailing
> +      list web interface, any such subscription requests will be
> +      rejected and ignored.</p>
> +    <p>We prefer that a role address be used for each organisation, rather 
> than one or more individual's direct email address. This helps to ensure that 
> changes of personnel do not end up effectively dropping an organisation from 
> the list</p>
>
>
>      <h3>Organizations on the pre-disclosure list:</h3>
> --
> 1.7.9.5
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxx
> http://lists.xen.org/xen-devel



-- 
CTO | Orion Virtualisation Solutions | www.orionvm.com.au
Phone: 1300 56 99 52 | Mobile: 0428 754 846

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.