[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH SECURITY-POLICY 3/9] Deployment with Security Team Permission

>>> On 16.01.15 at 20:52, <ijackson@xxxxxxxxxxxxxxxxxxxxxx> wrote:
> --- a/security_vulnerability_process.html
> +++ b/security_vulnerability_process.html
> @@ -212,6 +212,17 @@ following:</p>
>    <li>The assigned XSA number</li>
>    <li>The planned disclosure date</li>
>  </ul>
> +<p>List members may, if (and only if) the Security Team grants
> +permission, deploy fixed versions during the embargo.  Permission for

..., may deploy ... ?


> +deployment, and any restrictions, will be stated in the embargoed
> +advisory text.</p>
> +<p>The Security Team will normally permit such deployment, even for
> +systems where VMs are managed or used by non-members of the
> +predisclosure list.  The Security Team will impose deployment
> +restrictions only insofar as it is necessary to prevent the exposure
> +of technicalities (for example, differences in behaviour) which
> +present a significant risk of rediscovery of the vulnerability.  Such
> +situations are expected to be rare.</p>
>  <p><em>NOTE:</em> Prior v2.2 of this policy (25 June 2014) it was
>  permitted to also make available the allocated CVE number. This is no
>  longer permitted in accordance with MITRE policy.</p>

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.