[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [SECURITY POLICY] No longer allow sharing of embargoed CVE numbers

To: xen-devel <xen-devel@xxxxxxxxxxxxx>
From: Ian Campbell <Ian.Campbell@xxxxxxxxxx>
Date: Mon, 30 Jun 2014 15:08:22 +0100
Cc: Russell Pavlicek <russell.pavlicek@xxxxxxxxxx>, Lars Kurth <lars.kurth@xxxxxxx>, security@xxxxxxx
Delivery-date: Mon, 30 Jun 2014 14:11:41 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

There have been no objections. Lars/Russ please could you update the
security policy as described.

Cheers,
Ian.

On Wed, 2014-06-18 at 11:14 +0100, Ian Campbell wrote:
> MITRE have asked us to stop our practice of allowing the CVE number
> associated with embargoed security advisories. Their policy is such that
> they tie the embargo of the details of the advisory to the number and
> any sighting of the CVE# in the wild is taken as the end of the embargo
> (the CVE# acts as a canary of sorts).
> 
> MITRE is the organisation which allocated CVEs and therefore we are
> constrained by their policies. Given that the security team proposes to
> modify the security policy[0] as follows:
> 
>         Under "List members are allowed to make available to their users
>         only the following:" change the bullet:
>             * The assigned XSA and CVE numbers
>         to read:
>             * The assigned XSA number
>         
>         Following that list add the text:
>                 
>                 NOTE: Prior v2.2 of this policy ($DATE) it was permitted
>                 to also make available the allocated CVE number. This is
>                 no longer permitted in accordance with MITRE policy.
>         
>         The change history should add v2.2 describing this change.
> 
> The security team intends to continue including CVE numbers (when
> available) in embargoed advisories. The change here is that
> predisclosure list members will no longer be allowed to share that
> number while the embargo is in force.
> 
> While this change to our policy is still under discussion the security
> team will temporarily refrain from publishing the CVEs for embargoed
> issues.
> 
> If there are no objections I suggest we make this change in one week on
> 25 June. Lars can you make that so please?
> 
> Ian.
> 
> [0] http://www.xenproject.org/security-policy.html
> 



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [SECURITY POLICY] No longer allow sharing of embargoed CVE numbers
  - From: Russell Pavlicek

References:
- [Xen-devel] [SECURITY POLICY] No longer allow sharing of embargoed CVE numbers
  - From: Ian Campbell

Prev by Date: [Xen-devel] [linux-linus test] 27820: regressions - FAIL
Next by Date: Re: [Xen-devel] Issues regarding "mem_access: Add helper API to setup ring and enable mem_access"
Previous by thread: [Xen-devel] [SECURITY POLICY] No longer allow sharing of embargoed CVE numbers
Next by thread: Re: [Xen-devel] [SECURITY POLICY] No longer allow sharing of embargoed CVE numbers
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.