[Xen-devel] [Formal Vote] Changes to Xen Project Security Vulnerability Process - Open until June 8th, 2015

[Lars Kurth <lars.kurth.xen@xxxxxxxxx>]

Hi,

in accordance with the project's governance, I would like to put the following text changes to a committer vote (committers are on the TO list). The discussion leading to the changes can be found at http://lists.xenproject.org/archives/html/xen-devel/2015-05/msg02881.html

Please vote +1, 0, -1 with explanation as usual. You can reply publicly or in private and I will collate results on the 9th.

Regards

Lars

Old text in http://www.xenproject.org/security-policy.html

---

Specific process

...

4. Advisory pre-release: 

This occurs only if the advisory is embargoed (ie, the problem is not already public): 

As soon as our advisory is available, we will send it, including patches, to members of the Xen security pre-disclosure list. 

For more information about this list, see below. At this stage the advisory will be clearly marked with the embargo date.

---

Proposed text (this adds an additional paragraph, while  leaving the existing text as-is):

---

Specific process

...

4. Advisory pre-release: 

This occurs only if the advisory is embargoed (ie, the problem is not already public): 

As soon as our advisory is available, we will send it, including patches, to members of the Xen security pre-disclosure list. 

In the event that we do not have a patch available two working weeks before the disclosure date, we aim to send an advisory that reflects the current state of knowledge to the Xen security pre-disclosure list. An updated advisory will be published as soon as available.

For more information about this list, see below. At this stage the advisory will be clearly marked with the embargo date.

---

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel