From: Ian Campbell <ian.campbell@citrix.com>
To: xen-devel@lists.xen.org
Cc: Ian Jackson <Ian.Jackson@eu.citrix.com>,
Ian Campbell <ian.campbell@citrix.com>
Subject: [PATCH 1/6] Clarify what info predisclosure list members may share during an embargo
Date: Thu, 23 Aug 2012 11:37:49 +0100 [thread overview]
Message-ID: <1345718274-7900-1-git-send-email-ian.campbell@citrix.com> (raw)
In-Reply-To: <1345718230.12501.79.camel@zakaz.uk.xensource.com>
See <20448.49637.38489.246434@mariner.uk.xensource.com>, section
"7. Public communications during the embargo period"
---
security_vulnerability_process.html | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/security_vulnerability_process.html b/security_vulnerability_process.html
index d1a6629..eff108a 100644
--- a/security_vulnerability_process.html
+++ b/security_vulnerability_process.html
@@ -195,9 +195,17 @@ if(ns4)_d.write("<scr"+"ipt type=text/javascript src=/globals/mmenuns4.js><\/scr
should not make available, even to their own customers and partners:<ul>
<li>the Xen.org advisory</li>
<li>their own advisory</li>
+ <li>the impact, scope, set of vulnerable systems or the nature
+ of the vulnerability</li>
<li>revision control commits which are a fix for the problem</li>
<li>patched software (even in binary form) without prior consultation with security@xen and/or the discoverer.</li>
</ul></p>
+ <p>List members are allowed to make available to their users only the following:<ul>
+ <li>The existance of an issue</li>
+ <li>The assigned XSA and CVE numbers</li>
+ <li>The planned disclosure date</li>
+ </ul></p>
+
<p>Organisations who meet the criteria should contact security@xen if they wish to receive pre-disclosure of advisories.</p>
<p>The pre-disclosure list will also receive copies of public advisories when they are first issued or updated.</p>
--
1.7.10.4
next prev parent reply other threads:[~2012-08-23 10:37 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-19 18:16 Security vulnerability process, and CVE-2012-0217 Ian Jackson
2012-06-20 8:49 ` Jan Beulich
2012-06-20 9:45 ` George Dunlap
2012-06-20 10:32 ` Jan Beulich
2012-07-02 13:59 ` Ian Campbell
2012-07-02 14:58 ` Jan Beulich
2012-07-02 15:04 ` Ian Campbell
2012-07-02 15:17 ` Alan Cox
2012-07-02 15:20 ` Ian Campbell
2012-06-28 18:30 ` Alan Cox
2012-07-04 9:27 ` Ian Campbell
2012-07-04 10:04 ` John Haxby
2012-06-29 10:26 ` George Dunlap
2012-06-29 10:41 ` Jan Beulich
2012-07-02 14:00 ` Ian Campbell
2012-06-23 19:42 ` Matt Wilson
2012-06-28 17:45 ` George Dunlap
2012-07-02 13:59 ` Ian Campbell
2012-06-27 18:07 ` Thomas Goirand
2012-06-27 19:14 ` Alan Cox
2012-06-27 19:30 ` Sander Eikelenboom
2012-06-28 9:28 ` Lars Kurth
2012-07-02 13:58 ` Ian Campbell
2012-07-02 14:51 ` Jan Beulich
2012-07-02 14:57 ` Ian Campbell
2012-07-03 22:03 ` Matt Wilson
2012-07-04 10:33 ` Ian Campbell
2012-07-04 11:24 ` Stefano Stabellini
2012-07-04 12:36 ` George Dunlap
2012-07-04 12:52 ` Jan Beulich
2012-07-04 12:56 ` George Dunlap
2012-07-04 13:01 ` Jan Beulich
2012-07-04 13:30 ` Stefano Stabellini
2012-07-04 14:09 ` Jan Beulich
2012-07-04 15:09 ` Stefano Stabellini
2012-07-06 14:36 ` John Haxby
2012-07-06 16:39 ` Matthew Allen
2012-07-06 17:24 ` George Dunlap
2012-06-29 10:01 ` George Dunlap
2012-06-29 15:48 ` Thomas Goirand
2012-07-02 13:59 ` Ian Campbell
2012-07-02 15:13 ` Alan Cox
2012-07-03 11:12 ` George Dunlap
2012-07-03 14:18 ` Stefano Stabellini
2012-08-23 10:37 ` Ian Campbell
2012-08-23 10:37 ` Ian Campbell [this message]
2012-08-23 10:37 ` [PATCH 2/6] Clarifications to predisclosure list subscription instructions Ian Campbell
2012-08-23 10:37 ` [PATCH 3/6] Clarify the scope of the process to just the hypervisor project Ian Campbell
2012-08-23 10:37 ` [PATCH 4/6] Discuss post-embargo disclosure of potentially controversial private decisions Ian Campbell
2012-08-23 10:37 ` [PATCH 5/6] Patch review, expert advice and targetted fixes Ian Campbell
2012-08-23 10:37 ` [PATCH 6/6] Declare version 1.3 Ian Campbell
2012-09-24 11:25 ` Security vulnerability process, and CVE-2012-0217 [vote?] Lars Kurth
2012-10-01 16:38 ` Ian Jackson
2012-10-03 17:03 ` Lars Kurth
2012-10-04 8:39 ` Lars Kurth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1345718274-7900-1-git-send-email-ian.campbell@citrix.com \
--to=ian.campbell@citrix.com \
--cc=Ian.Jackson@eu.citrix.com \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).