Mike Bursell writes ("Re: [Xen-devel] Security vulnerability process"):
> After some thought, I think we're pushing away too far from the
> discoverer here. What I suggest, therefore, is to say
>
> i) explicitly that if the discoverer wishes to extend the predisclosure
> period, this will honoured
The most recent draft policy already contains these paragraphs:
When a discoverer reports a problem to us and requests longer delays
than we would consider ideal, we will honour such a request if
reasonable. If a discoverer wants an accelerated disclosure compared
to what we would prefer, we naturally do not have the power to insist
that a discoverer waits for us to be ready and will honour the date
specified by the discoverer.
Naturally, if a vulnerability is being exploited in the wild we will
make immediately public release of the advisory and patch(es) and
expect others to do likewise.
That seems sufficiently clear to me that we will honour an extended
predisclosure preiod.
> ii) that if a predisclosure list member wishes to contact the discoverer
> to request an extension, that the Xen.org security team will act as a
> channel for such requests.
In general, I think it should be clear that the Xen.org security team
will act as a channel for any communications between all relevant
parties. This isn't explicitly stated in the most recent draft.
How about:
The Xen.org security team should be the primary contact point for
communications. It will pass on information, requests, and other
messages between predisclosure team members, discoverers, and
others, as applicable.
?
Ian.
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
Home