[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security discussion: Summary of proposals and criteria (was Re: Security vulnerability process, and CVE-2012-0217)

On Thu, 12 Jul 2012, Joanna Rutkowska wrote:
> > But the key question remain: would we allow a small service provider to
> > join the service providers list? I think that we should.
> It would probably be very easy for the proverbial Chinese to setup a
> small service provider and join the list just to get prompt info about
> bugs they can exploit in order to 0wn the proverbial AWS...

I think that there is no way around that: not only a small service
provider, but even a small Linux distro could be easily setup just to
get in the security list.

Even linux-distros has distros that are single-handedly developed by one
developer as subscribers. It would certainly be possible and probably
profitable paying a developer just to be on these lists.

And of course people in big companies can be corrupted and leak
informations, even if the company is believed trustworthy.
Bigger the company, more people will know about the vulnerability,
higher is the chance that one of them will leak the information.

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.