[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: Suggested changes to the admission policy of the vulnerability pre-disclosure list
On Mon, Jul 19, 2021 at 9:49 AM Charles-H. Schulz <charles.schulz@xxxxxxxx> wrote:
Nonetheless, you still haven't made a clear case why being informed of the vulnerabilities *under embargo* is necessary. Anyone can sign up to the xen-announce mailing list and receive notifications of XSAs at the moment the embargo lifts. We advertise *that new advisories are coming out* on the main XSA webpage [1] and in a machine-readable JSON file [2] as soon as the predisclosure happens. (There are also libraries [3] to consume the JSON file, and an example program [4] which could be run in a cron job to alert someone to upcoming public XSA disclosures.) The delta between the predisclosure and the public disclosure is typically two weeks. Someone could argue that all of the activities you describe -- looking for larger patterns of vulnerabilities, acting as a clearinghouse / notification channel / advisory system for downstreams, etc -- could be done by observing the public disclosures, particularly if suitable people were alerted to upcoming public disclosures (and thus ready to process them as soon as they come out). What is needed is to make the case that this is insufficient -- that having the extra two weeks to process things before the public disclosure will be of material benefit in those activities. (Hopefully it should be clear that I'm inviting you to make such a case.) >> The what if question is not a valid one, as you are either recognized as a Jan, I think if you think it's better to include "private CERTs" (do such things exist?), then it should be up to you (or someone else in favor of such a thing) to craft the criteria for inclusion. I personally think limiting ourselves to national CERTs to begin with is fine. 1. Specific proposed changes to the security policy to be hammered out 2. Someone to hold a project-wide vote, in accordance with the XenProject Governance Document. Normally #2 would be me, but today is my last day until January. -George
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |