[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security vulnerability process, and CVE-2012-0217

Let me toss another possibility out there.  So far this discussion has
assumed that we can't have all interested parties on a list.  Is that
true?  Could we have a list that either anyone can join, or limited by
some easily verifiable criteria (e.g., has a website, a company e-mail
in the same domain, and can provide a scan of some official document)?

Such a list would definitely be lower security than a more restricted
list.  So there would be two questions:
1. What would a reasonable criteria for this kind of list be?
2. How would disclosing to this list fit within the embargo period,
and with the discloser's wishes (if any)?

I think #2 would probably be:
* Make sure the disclosure knows about the open nature of the list,
and abide by their wishes.  If the discloser considers the list to be
a public disclosure, they may ask us not to announce to the list until
the end of the embargo period, or until some period of time before the
end (say, 1 week).
* By default, suggest disclosing to the list as soon as we have a fix
available, and then making a public announcement (on blogs / press
releases / whatever) some time afterwards (say, 1 or 2 weeks).

This is certainly more fair than options which have a list but limit
the membership artificially by size.  For those who think a public
announcement does not significantly increase the risk, this is will be
very similar to what they would have if we decided not to have a list
at all.  However, for those who believe that publicly announcing the
vulnerability greatly increases the risk of exploitation, it will give
them some extra time to patch their systems until that happens.

There will be administrative work on the part of someone at xen.org to
determine who is on the list or not; but it shouldn't require too much
extra effort on the part of the security team.

The only caveat I can think of is that it may increase the risk,
during the time between the predisclosure and the public announcement,
for those not on the list.  We can basically assume that the list will
have some blackhats.  If the timeframe is anywhere near what some
people have asked for (e.g., 3-4 weeks), then it might become
worthwhile for people to develop an exploit to take advantage of
people during that timeframe.  This might be an acceptable cost, since
those people *could* be on the list of they wanted.



Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.