[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Earlier embargoed pre-disclosure without patches



On Tue, 26 May 2015, Major Hayden wrote:
> On 05/26/2015 07:15 AM, Stefano Stabellini wrote:
> > On Fri, 22 May 2015, Major Hayden wrote:
> >> > On 05/22/2015 09:04 AM, Jan Beulich wrote:
> >>> > > If you were to ask for this only if the time gap until embargo expiry
> >>> > > was less than the default of two weeks, maybe I would buy this.
> >> > 
> >> > I'm good with that as well.  I think we're saying:
> >> > 
> >> >   if embargo_length < 14d:
> >> >     # XSA-133 situation
> >> >     send_pre_disclosure_draft()
> >> >     wait_for_patches()
> >> >   elif embargo_length >= 14d and not patches_ready:
> >> >     wait_for_patches()
> >> >   else:
> >> >     send_pre_disclosure_full()
> >> > 
> >> > Forgive my awful pseudo code. My coffee buffer is not yet full. ;)
> > It makes sense to me. I can see the value for an organization with
> > thousands of servers to know about it in advance, regardless of the
> > patches, so that it can schedule the update work appropriately.
> 
> Thanks for the help, folks.  I've tossed a proposed security policy change 
> into a Github gist[1].
> 
> My proposal is to add this paragraph to the "Embargo and disclosure schedule" 
> section of the Xen Security Policy[2]:
> 
>     In the event that a two week embargo cannot be guaranteed,
>     we will send a draft with information about the vulnerability
>     to the pre-disclosure list as soon as possible, even if 
>     patches have not yet been written or tested.  An updated 
>     draft will be sent to the pre-disclosure list once patches
>     become available.
> 
> I welcome any and all feedback.  Thanks!

I would go for:

In the event that public disclosure is less than 15 days away, we will
send a draft with information about the vulnerability to the
pre-disclosure list as soon as possible, even if patches have not yet
been written or tested.  An updated draft will be sent to the
pre-disclosure list once patches become available.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.