[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [Xen-users] Security disclosure process discussion update

Dropping -announce.

On Mon, 2013-01-07 at 16:37 +0000, Konrad Rzeszutek Wilk wrote:

> So if we use an mailing list internally..
> > * Applicants and current members must submit a statement saying that they
> > have
> > read, understand, and will abide by this process document.
> Are the folks on the internal mailing list bound by this as well? Meaning
> that if a new person would like to join the internal mailing list they
> need to have read, understood, etc the process document?

I understood this to mean that the Organisation was agreeing to abide by
it, which implies a duty to ensure that anyone with that organisation
who is exposed to confidential information keeps it confidential. One
obvious way to implement that would be the company to internally require
new people to read and agree to the process document, but Xen.org need
not be involved in that.

It's not that dissimilar to how NDAs work in general I think.

> I would presume so, but you are not stating it here nor:
> http://wiki.xen.org/wiki/Security_vulnerability_process_draft
> So what is driving the 'alias' requirement?

There's no reason for Xen.org to be involved in the internals of each
organisation's security team. Apart from the management overhead on our
side it can also lead to situations where there are gaps in the coverage
as people come and go but because the company cannot (easily) see the
subscriber list on our end.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.