[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security discussion: Summary of proposals and criteria (was Re: Security vulnerability process, and CVE-2012-0217)

To: Joanna Rutkowska <joanna@xxxxxxxxxxxxxxxxxxxxxx>
From: Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>
Date: Fri, 13 Jul 2012 19:15:14 +0100
Cc: Jan Beulich <JBeulich@xxxxxxxx>, Stefano Stabellini <Stefano.Stabellini@xxxxxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, "Tim \(Xen.org\)" <tim@xxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>, Lars Kurth <lars.kurth@xxxxxxx>, Matt Wilson <msw@xxxxxxxxxx>
Delivery-date: Fri, 13 Jul 2012 18:16:23 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Thu, 12 Jul 2012, Joanna Rutkowska wrote:
> > But the key question remain: would we allow a small service provider to
> > join the service providers list? I think that we should.
> 
> It would probably be very easy for the proverbial Chinese to setup a
> small service provider and join the list just to get prompt info about
> bugs they can exploit in order to 0wn the proverbial AWS...

I think that there is no way around that: not only a small service
provider, but even a small Linux distro could be easily setup just to
get in the security list.

Even linux-distros has distros that are single-handedly developed by one
developer as subscribers. It would certainly be possible and probably
profitable paying a developer just to be on these lists.

And of course people in big companies can be corrupted and leak
informations, even if the company is believed trustworthy.
Bigger the company, more people will know about the vulnerability,
higher is the chance that one of them will leak the information.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

References:
- [Xen-devel] Security discussion: Summary of proposals and criteria (was Re: Security vulnerability process, and CVE-2012-0217)
  - From: George Dunlap
- Re: [Xen-devel] Security discussion: Summary of proposals and criteria (was Re: Security vulnerability process, and CVE-2012-0217)
  - From: Joanna Rutkowska
- Re: [Xen-devel] Security discussion: Summary of proposals and criteria (was Re: Security vulnerability process, and CVE-2012-0217)
  - From: George Dunlap
- Re: [Xen-devel] Security discussion: Summary of proposals and criteria (was Re: Security vulnerability process, and CVE-2012-0217)
  - From: Joanna Rutkowska
- Re: [Xen-devel] Security discussion: Summary of proposals and criteria (was Re: Security vulnerability process, and CVE-2012-0217)
  - From: Tim Deegan
- Re: [Xen-devel] Security discussion: Summary of proposals and criteria (was Re: Security vulnerability process, and CVE-2012-0217)
  - From: Joanna Rutkowska
- Re: [Xen-devel] Security discussion: Summary of proposals and criteria (was Re: Security vulnerability process, and CVE-2012-0217)
  - From: Stefano Stabellini
- Re: [Xen-devel] Security discussion: Summary of proposals and criteria (was Re: Security vulnerability process, and CVE-2012-0217)
  - From: Joanna Rutkowska
- Re: [Xen-devel] Security discussion: Summary of proposals and criteria (was Re: Security vulnerability process, and CVE-2012-0217)
  - From: Stefano Stabellini
- Re: [Xen-devel] Security discussion: Summary of proposals and criteria (was Re: Security vulnerability process, and CVE-2012-0217)
  - From: Joanna Rutkowska

Prev by Date: Re: [Xen-devel] [PATCH] xen/events: fix unmask_evtchn for PV on HVM guests
Next by Date: Re: [Xen-devel] incorrect layout of globals from head_64.S during kexec boot
Previous by thread: Re: [Xen-devel] Security discussion: Summary of proposals and criteria (was Re: Security vulnerability process, and CVE-2012-0217)
Next by thread: Re: [Xen-devel] Security discussion: Summary of proposals and criteria
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.