From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ian Campbell Subject: [PATCH 1/6] Clarify what info predisclosure list members may share during an embargo Date: Thu, 23 Aug 2012 11:37:49 +0100 Message-ID: <1345718274-7900-1-git-send-email-ian.campbell@citrix.com> References: <1345718230.12501.79.camel@zakaz.uk.xensource.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1345718230.12501.79.camel@zakaz.uk.xensource.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: xen-devel@lists.xen.org Cc: Ian Jackson , Ian Campbell List-Id: xen-devel@lists.xenproject.org See <20448.49637.38489.246434@mariner.uk.xensource.com>, section "7. Public communications during the embargo period" --- security_vulnerability_process.html | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/security_vulnerability_process.html b/security_vulnerability_process.html index d1a6629..eff108a 100644 --- a/security_vulnerability_process.html +++ b/security_vulnerability_process.html @@ -195,9 +195,17 @@ if(ns4)_d.write("<\/scr should not make available, even to their own customers and partners:
  • the Xen.org advisory
  • their own advisory
    • +
  • the impact, scope, set of vulnerable systems or the nature + of the vulnerability
  • revision control commits which are a fix for the problem
  • patched software (even in binary form) without prior consultation with security@xen and/or the discoverer.

+

List members are allowed to make available to their users only the following:

    +
  • The existance of an issue
    • +
  • The assigned XSA and CVE numbers
    • +
  • The planned disclosure date
    • +

+

Organisations who meet the criteria should contact security@xen if they wish to receive pre-disclosure of advisories.

The pre-disclosure list will also receive copies of public advisories when they are first issued or updated.

-- 1.7.10.4