From mboxrd@z Thu Jan 1 00:00:00 1970 From: Keir Fraser Subject: Re: Security discussion: Summary of proposals and criteria (was Re: Security vulnerability process, and CVE-2012-0217) Date: Mon, 09 Jul 2012 14:35:05 +0100 Message-ID: References: <4FFADBD2.6070502@invisiblethingslab.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <4FFADBD2.6070502@invisiblethingslab.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Joanna Rutkowska , George Dunlap Cc: Stefano Stabellini , Lars Kurth , Jan Beulich , Matt Wilson , "xen-devel@lists.xen.org" List-Id: xen-devel@lists.xenproject.org On 09/07/2012 14:25, "Joanna Rutkowska" wrote: >> If you're into security industry (going to conferences, etc) you >> certainly know the right people who would be delight to buy exploits >> from you, believe me ;) Probably most Xen developers don't fit into this >> crowd, true, but then again, do you think it would be so hard for an >> interested organization to approach one of the Xen developers on the >> pre-disclousure list? How many would resist if they had a chance to cash >> in some 7-figure number for this (I read in the press that hot >> bugs/exploits sell for this amount actually)? > > (Correction: I meant a 6-figure number) Thought I was in the wrong end of the business there for a while. ;)