[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217

(speaking for myself) 
On Wed, 2012-06-20 at 09:49 +0100, Jan Beulich wrote:
> > 14. Early consideration of which other organisations to bring in
> >
> > Our process needs to have, very early on, an explicit step to of
> > deciding which other projects/organisations may also be vulnerable and
> > may therefore need to be part of the same disclosure process.  It also
> > needs to make sure that we ask for any help (for example from
> > upstreams or hardware vendors) as soon as possible.
> Our security response team should only take our projects into
> consideration. Cross project vulnerabilities should be managed
> by entities set up to deal with this.

I'm generally of the same opinion -- if/when we discover that the impact
of an issue is wider than Xen instead of continuing to drive the process
forward ourselves we should "escalate" to an entity which is setup to
deal with such cross-project vulnerabilities.

What are the options here? CERT would be one, I'm sure there must be
others. We should probably pick one which has policies we are happy


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.