Security vulnerability process - lessons learned discussion

[Ian Jackson <Ian.Jackson@eu.citrix.com>]

During the past weeks the Xen.org security team have been involved
with the preparation, predisclosure and publication of Xen Security
Advisories 7, 8 and 9.

During this exercise we found that there were a number of difficulties
with the current security vulnerability process.  These include both
the need for some straightforward procedural improvements, and some
more thorny questions of policy.

We also wish to make the community aware of some of the key decisions
we were faced with during the predisclosure period, and explain what
we as the Xen.org team did and why.

Some members of the predisclosure list, and some community members who
appear to have heard about a problem via some kind of leaks, have also
expressed the view to us that there are elements of the process that
they feel could be improved.

However, many users - particularly those not on the predisclosure list
- will be busy right now upgrading systems to cope with these
vulnerabilities.  We do not expect that community members will want to
divert their resources from front-line security response to
longer-term process improvements, and it is important that everyone
gets a chance to participate properly in policy discussions without
being overly distracted.

We therefore intend to postpone starting this discussion ourselves for
around a week, until the 19th of June.  We would respectfully request
that other community members do likewise.

Starting on the Tuesday 19th of June we expect to have a full and
frank conversation and we look forward to engaging fully with the Xen
community.

The existing established consensus decisionmaking approach of the Xen
project will of course be used to agree any changes to the
vulnerability response process document.

Thanks,
Ian.
(on behalf of the Xen.org security response team)