Xen project Mailing List

[Xen-devel] [PATCH SECURITY-POLICY 6/9] Explicitly permit within-list information sharing during embargo

From: Ian Jackson <ijackson@xxxxxxxxxxxxxxxxxxxxxx>

Date: Fri, 16 Jan 2015 19:52:18 +0000

Cc: lars.kurth.xen@xxxxxxxxx, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>, Ian Jackson <ijackson@xxxxxxxxxxxxxxxxxxxxxx>

Delivery-date: Fri, 16 Jan 2015 19:53:05 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

Permitting sharing of embargoed fixes amongst predisclosure list seemed to have appropriate consensus. Signed-off-by: Ian Jackson <ijackson@xxxxxxxxxxxxxxxxxxxxxx> Signed-off-by: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx> --- security_vulnerability_process.html | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/security_vulnerability_process.html b/security_vulnerability_process.html index 41b5fe0..d1d40ca 100644 --- a/security_vulnerability_process.html +++ b/security_vulnerability_process.html @@ -224,6 +224,27 @@ situations are expected to be rare.</p> <p><em>NOTE:</em> Prior v2.2 of this policy (25 June 2014) it was permitted to also make available the allocated CVE number. This is no longer permitted in accordance with MITRE policy.</p> +<h3>Information-sharing amongst predisclosure list members</h3> +<p>Predisclosure list members are allowed to share fixes to embargoed issues, +analysis, etc., with the security teams of other list members. +Technical measures must be taken to prevents non-list-member +organisations, or unauthorised staff in list-member organisations, +from obtaining the embargoed materials.</p> +<p>The Xen Project provides the mailing list +<code>xen-security-issues-discuss@xxxxxxxxxxxxxxxxxxxx</code> +for this purpose. List members are encouraged to use it but +may share with other list members' security teams via other +channels.</p> +<p>The <code>-discuss</code> list's distribution is identical to that of the primary +predisclosure list <code>xen-security-issues</code>. Recipient organisations who +do not wish to receive all of the traffic on -discuss should use +recipient-side email filtering based on the provided <code>List-Id</code>.</p> +<p>The <code>-discuss</code> list is moderated by the Xen Project Security Team. +Announcements of private availability of fixed versions, and +technical messages about embargoed advisories, will be approved. +Messages dealing with policy matters will be rejected with a +reference to the Security Team contact address and/or public Xen +mailing lists.</p> <h3>Predisclosure list membership application process</h3> <p>Organisations who meet the criteria should contact predisclosure-applications@xenproject if they wish to receive -- 1.7.10.4 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.