| |
|
 |
|
 |
|
|
|
| |
|
|
xen-devel
Re: [Xen-devel] Security vulnerability process
On Tue, 2011-07-26 at 11:25 -0400, Mike Bursell wrote:
> Ian/all -
>
> >In May I sent out a draft security vulnerability process. Mostly it
> >seems to have met with approval or at least acquiescence.
>
> >We received some comments and based on that I have prepared a new
> >final draft. The changes ought not to be controversial.
>
> >Please send any final comments by the 28th of July (14 days from
> >now). Unless there are objections, we will regard the process as
> >formally in force from that date.
>
> Sorry for the rather last-minute response, but we've been considering
> this process within Citrix, and although the process seems very clear
> and deals with most cases admirably, we'd like to propose a couple of
> changes to deal with edge cases, and one other change on top.
>
> I've included the original mail below, for reference in case people
> don't have it.
>
> Proposed changes
> i. extend the standard embargo period from one week to two to allow more
> time for response/roll-out.
This seems reasonable enough.
> ii. allow the standard initial week to flex in the case that a fix is
> not immediately found.
I think the existing wording is already pretty clear that these
timespans are a starting point and that it is subject to change if there
is good reason.
> iii. allow the standard embargo period to be extended, by consensus of
> those on the predisclosure list, moderated by the Board, to a longer
> period. This is to deal with cases where the vulnerability is
> particularly severe and/or the fixes are particularly onerous to roll
> out.
Ultimately the final determination lies with the discover, who is under
no obligation to abide by any decision made by the board.
Ian.
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
|
|
| |
|
Home