[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [Xen-users] Security disclosure process discussion update

On Mon, Jan 07, 2013 at 04:46:19PM +0000, Ian Campbell wrote:
> Dropping -announce.
> On Mon, 2013-01-07 at 16:37 +0000, Konrad Rzeszutek Wilk wrote:
> > So if we use an mailing list internally..
> > > * Applicants and current members must submit a statement saying that they
> > > have
> > > read, understand, and will abide by this process document.
> > 
> > Are the folks on the internal mailing list bound by this as well? Meaning
> > that if a new person would like to join the internal mailing list they
> > need to have read, understood, etc the process document?
> I understood this to mean that the Organisation was agreeing to abide by
> it, which implies a duty to ensure that anyone with that organisation
> who is exposed to confidential information keeps it confidential. One
> obvious way to implement that would be the company to internally require
> new people to read and agree to the process document, but Xen.org need
> not be involved in that.
> It's not that dissimilar to how NDAs work in general I think.

Except that you don't have to mail out the forms :-)

> > I would presume so, but you are not stating it here nor:
> > 
> > http://wiki.xen.org/wiki/Security_vulnerability_process_draft
> > 
> > So what is driving the 'alias' requirement?
> There's no reason for Xen.org to be involved in the internals of each
> organisation's security team. Apart from the management overhead on our
> side it can also lead to situations where there are gaps in the coverage
> as people come and go but because the company cannot (easily) see the
> subscriber list on our end.

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.