[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH SECURITY-POLICY 5/9] Tighten, and make more objective, predisclosure list application

Applicants should be required to:

  - Provide information on their public web pages which makes
    it clear that and why they are eligible;

  - Specifically, publicly state that and how they are using Xen
    (so that the Security Team can verify eligibility);

  - Provide a way for members of the public to responsibly report
    security problems to the applicant, just as the Xen Project does.

The Security Team should be forbidden from trying to hunt down
eligibility information etc. and should instead be mandated to reject
incomplete requests.

Also remove the "case-by-case-basis" membership exception.  This is
not consistent with the new objective membership application process.

Signed-off-by: Ian Jackson <ijackson@xxxxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
 security_vulnerability_process.html |   79 ++++++++++++++++++++++++-----------
 1 file changed, 54 insertions(+), 25 deletions(-)

diff --git a/security_vulnerability_process.html 
index 4fd02e9..41b5fe0 100644
--- a/security_vulnerability_process.html
+++ b/security_vulnerability_process.html
@@ -176,9 +176,7 @@ development, is very likely to be accepted; whereas a 
project with a
 single developer who spends a few hours a month will most likey be
 <p>For organizational users, a rule of thumb is that "large scale"
-means an installed base of 300,000 or more Xen guests. Other
-well-established organisations with a mature security response process
-will be considered on a case-by-case basis.</p>
+means an installed base of 300,000 or more Xen guests.</p>
 <p>The list of entities on the pre-disclosure list is public. (Just
 the list of projects and organisations, not the actual email
@@ -230,35 +228,66 @@ longer permitted in accordance with MITRE policy.</p>
 <p>Organisations who meet the criteria should contact
 predisclosure-applications@xenproject if they wish to receive
 pre-disclosure of advisories.  That is a public mailing list.
-<p>Please include in the e-mail:</p>
+<p>You must include in the e-mail:</p>
   <li>The name of your organization</li>
-  <li>A brief description of why you fit the criteria, along with
-  evidence to support the claim</li>
-  <li>A security alias e-mail address (no personal addresses -- see
-  below)</li>
-  <li>A link to a web page with your security policy statement</li>
+  <li>Domain name(s) which you use to provide Xen software/services</li>
+  <li>A brief description of why you fit the criteria</li>
+  <li>If not all of your products/services use Xen, a list of (some
+  of) your products/services (or categories thereof) which do.</li>
+  <li>Link(s) to current public web pages, belonging to your
+  organisation, for each of following pieces of information:
+    <ul>
+      <li>Evidence of your status as a service/software provider:
+        <ul>
+          <li>If you are a public hosting provider, your public rates
+          or how to get a quote</li>
+          <li>If you are a software provider, how your
+          software can be downloaded or purchased</li>
+          <li>If you are an open-source project, a mailing list
+          archive and/or version control repository, with
+          active development</li>
+        </ul>
+      </li>
+      <li>Evidence of your status as a user/distributor of Xen:
+        <ul>
+          <li>Statements about, or descriptions of, your eligible
+          production services or released software, from which it is
+          immediately evident that they use Xen.
+        </ul>
+      </li>
+      <li>Information about your handling of security problems:
+        <ul>
+          <li>Your invitation to members of the public, who discover
+          security problems with your products/services, to report
+          them in confidence to you;
+          <li>Specifically, the contact information (email addresses or
+          other contact instructions) which such a member of the
+          public should use.
+        </ul>
+      </li>
+    </ul>
+    <p>Blog postings, conference presentations, social media pages,
+    Flash presentations, videos, sites which require registration,
+    anything password-protected, etc., are not acceptable.  PDFs of
+    reasonable size are acceptable so long as the URL you provide is
+    of a ordinary HTML page providing a link to the PDF.</p>
+    <p>If the pages are long and/or PDFs are involved, your email
+    should say which part of the pages and documents are relevant.</p>
+  </li>
   <li>A statement to the effect that you have read this policy and
   agree to abide by the terms for inclusion in the list, specifically
   the requirements to regarding confidentiality during an embargo
-  <li>Evidence that will be considered may include the following:
-    <ul>
-      <li>If you are a public hosting provider, a link to a web page
-      with your public rates</li>
-      <li>If you are a software provider, a link to a web page where
-      your software can be downloaded or purchased</li>
-      <li>If you are an open-source project, a link to a mailing list
-      archive and/or a version control repository demonstrating active
-      development</li>
-      <li>A public key signed with a key which is in the PGP "strong
-      set"</li>
-    </ul>
-  </li>
+  <li>The single (non-personal) email alias you wish added to the
+  predisclosure list.</li>
-<p>Organizations already on the list who do not have a security alias
-or have not sent a statement that they have read this policy and will
-abide by, it will be asked to do so. </p>
+<p>Your application will be determined by the Xen Project Security
+Team, and their decision posted to the list.  The Security Team has
+no discretion to accept applications which do not provide all of the
+information required above.</p>
+<p>If you are dissatisfied with the Security Team's decision you may
+appeal it via the Xen Project's governance processes.</p>
 <p>Organisations should not request subscription via the mailing list
 web interface.  Any such subscription requests will be rejected and

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.