WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

[Xen-devel] Security vulnerability process

To: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-devel] Security vulnerability process
From: Mike Bursell <mike.bursell@xxxxxxxxxx>
Date: Tue, 26 Jul 2011 16:25:41 +0100
Accept-language: en-US
Acceptlanguage: en-US
Delivery-date: Tue, 26 Jul 2011 08:27:24 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcxLqEfmqhxBTychQr26pKP95EhCUQ==
Thread-topic: Security vulnerability process
Ian/all -

>In May I sent out a draft security vulnerability process.  Mostly it
>seems to have met with approval or at least acquiescence.

>We received some comments and based on that I have prepared a new
>final draft.  The changes ought not to be controversial.

>Please send any final comments by the 28th of July (14 days from
>now).  Unless there are objections, we will regard the process as
>formally in force from that date.

Sorry for the rather last-minute response, but we've been considering 
this process within Citrix, and although the process seems very clear
and deals with most cases admirably, we'd like to propose a couple of 
changes to deal with edge cases, and one other change on top.

I've included the original mail below, for reference in case people
don't have it.

Proposed changes
i. extend the standard embargo period from one week to two to allow more
time for response/roll-out.
ii. allow the standard initial week to flex in the case that a fix is
not immediately found.
iii. allow the standard embargo period to be extended, by consensus of
those on the predisclosure list, moderated by the Board, to a longer
period.  This is to deal with cases where the vulnerability is
particularly severe and/or the fixes are particularly onerous to roll
out.  

-1. One working week between notification arriving at security@xen
-   and the issue of our own advisory to our predisclosure list.  We
-   will use this time to gather information and prepare our
-   advisory, including required patches.
+1. One working week between notification arriving at security@xen
+   and the issue of our own advisory to our predisclosure list.  We
+   will use this time to gather information and prepare our
+   advisory, including required patches.  If a week is not sufficient
+   time to prepare a fix or work-around, this period may be extended.

-2. One working week between issue of our advisory to our
-   predisclosure list and publication.
+2. Two working weeks between issue of our advisory to our
+   predisclosure list and publication.  Any member of the
+   predisclosure list may request an extension of this period,
+   to be agreed by consensus of the members of the list.  If
+   a consensus cannot be reached, the Board shall make the 
+   final determination.

Hopefully these changes allow for those awkward (and hopefully
infrequent) cases where things are complicated, but abide with the
spirit of the community.  We've tried to model them on similar policies
from other OSS projects.

-Mike.
-- 
Mike Bursell, Network Subsystem Architect
Citrix Systems R&D.  +44 7971 926937


ORIGINAL MAIL BELOW:
------------------------------

Changes from the previous draft:

  * The pre-disclosure list will get copies of public advisories and
    updated advisories, not just embargoed ones.

  * The list of entities on the pre-disclosure list will be made
    public.  We should probably warn the existing members of the
    predisclosure list that the fact that their organisation is on the
    list will be published and give them a chance to object or
    withdraw, so we will publish the actual list when the policy comes
    into force rather than right away.  I don't expect any of the
    members to object.  We're publishing organisation or vendor names,
    not email addresses, of course - the purpose is transparency, not
    spam.

  * Make it clear that we will share vulnerability information with
    other projects or vendors if we think the same problem may apply
    to them, or when it's necessary to understand the problem and
    prepare the advisory.



            xen.org security problem response process
            -----------------------------------------

Introduction
------------

Computer systems have bugs.  Currently recognised best practice for
bugs with security implications is to notify significant downstream
users in private; leave a reasonable interval for downstreams to
respond and prepare updated software packages; then make public
disclosure.

We want to encourage people to report bugs they find to us.  Therefore
we will treat with respect the requests of discoverers, or other
vendors, who report problems to us.


Specific process
----------------

1. We request that anyone who discovers a vulnerability in xen.org
   software reports this by email to security (at) xen (dot) org.

   (This also covers the situation where an existing published
   changeset is retrospectively found to be a security fix.)

2. Immediately, and in parallel:

   (a) Those of us on the xen.org team who are aware of the problem
       will notify security@xen if disclosure wasn't made there
       already.

   (b) If the vulnerability is not already public, security@xen will
       negotiate with discoverer regarding embargo date and disclosure
       schedule.  See below for detailed discussion.

3. Furthermore, also in parallel:

   (c) security@xen will check whether the discoverer, or other people
       already aware of the problem, have allocated a CVE number.  If
       not, we will acquire a CVE candidate number ourselves, and
       make sure that everyone who is aware of the problem is also
       aware of the CVE number.

   (d) If we think other software systems (for example, competing
       hypervisor systems) are likely to be affected by the same
       vulnerability, we will try to make those other projects aware
       of the problem and include them in the advisory preparation
       process.  (This may rely on the other project(s) having
       documented and responsive security contact points.)

   (e) We will prepare or check patch(es) which fix the vulnerability.
       This would ideally include all relevant backports.

   (f) We will determine which systems/configurations/versions are
       vulnerable, and what the impact of the vulnerability is.
       Depending on the nature of the vulnerability this may involve
       sharing information about the vulnerability (in confidence, if
       the issue is embargoed) with hardware vendors and/or other
       software projects.

   (g) We will write a Xen advisory including information from (b)-(f)

2. Advisory pre-release:

   This occurs only if the advisory is embargoed (ie, the problem is
   not already public):

   As soon as our advisory is available, we will send it,
   including patches, to members of the Xen security pre-disclosure
   list.  For more information about this list, see below.

   At this stage the advisory will be clearly marked with the embargo
   date.

3. Advisory public release:

   At the embargo date we will publish the advisory, and push
   bugfix changesets to public revision control trees.

   Public advisories will be posted to xen-devel.

   Copies will also be sent to the pre-disclosure list, unless
   the advisory was already sent there previously during the embargo
   period and has not been updated since.

4. Updates

   If new information or better patches become available, or we
   discover mistakes, we may issue an amended (revision 2 or later)
   public advisory.  This will also be sent to the pre-disclosure
   list.


Embargo and disclosure schedule
-------------------------------

If a vulnerability is not already public, we would like to notify
significant distributors and operators of Xen so that they can prepare
patched software in advance.  This will help minimise the degree to
which there are Xen users who are vulnerable but can't get patches.

As discussed, we will negotiate with discoverers about disclosure
schedule.  Our usual starting point for that negotiation, unless there
are reasons to diverge from this, would be:

  1. One working week between notification arriving at security@xen
     and the issue of our own advisory to our predisclosure list.  We
     will use this time to gather information and prepare our
     advisory, including required patches.

  2. One working week between issue of our advisory to our
     predisclosure list and publication.

When a discoverer reports a problem to us and requests longer delays
than we would consider ideal, we will honour such a request if
reasonable.  If a discoverer wants an accelerated disclosure compared
to what we would prefer, we naturally do not have the power to insist
that a discoverer waits for us to be ready and will honour the date
specified by the discoverer.

Naturally, if a vulnerability is being exploited in the wild we will
make immediately public release of the advisory and patch(es) and
expect others to do likewise.


Pre-disclosure list
-------------------

Xen.org operates a pre-disclosure list.  This list contains the email
addresses (ideally, role addresses) of the security response teams for
significant Xen operators and distributors.

This includes:
  - Large-scale hosting providers;
  - Large-scale organisational users of Xen;
  - Vendors of widely-deployed Xen-based systems;
  - Distributors of widely-deployed operating systems with Xen support.
This includes both corporations and community institutions.

Here as a rule of thumb "large scale" and "widely deployed" means an
installed base of 300,000 or more Xen guests; other well-established
organisations with a mature security response process will be
considered on a case-by-case basis.

The list of entities on the pre-disclosure list is public.  (Just the
list of projects and organisations, not the actual email addresses.)

Pre-disclosure list members are expected to maintain the
confidentiality of the vulnerability up to the embargo date which
security@xen have agreed with the discoverer.

Specifically, prior to the embargo date, pre-disclosure list members
should not make available, even to their own customers and partners:
 - the Xen.org advisory
 - their own advisory
 - revision control commits which are a fix for the problem
 - patched software (even in binary form)
without prior consultation with security@xen and/or the discoverer.

Organisations who meet the criteria should contact security@xen if
they wish to receive pre-disclosure of advisories.

The pre-disclosure list will also receive copies of public advisories
when they are first issued or updated.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
<Prev in Thread] Current Thread [Next in Thread>