|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Security policy ambiguities - XSA-108 process post-mortem
On Mon, Jan 19, 2015 at 8:36 PM, James McKenzie
<james.mckenzie@xxxxxxxxxxx> wrote:
> On 29/10/14 13:27, James Bulpin wrote:
>>
>> George Dunlap writes ("Security policy ambiguities - XSA-108 process
>> post-mortem"):
>>>
>>> [snip]
>>>
>>> As far as I can tell we basically have the following options:
>>>
>>> 1. Never allow people to deploy during the embargo period.
>>>
>>> 2. Always allow people to deploy during the embargo period.
>>>
>>> 3. Have the security team attempt to evaluate the risk.
>>>
>>> 4. Have individual cloud operators evaluate the risk.
>>>
>>> This seems like a recipe for disaster.
>
>
>
> 1 and 3 seem like a recipe for disaster as organizations and individual
> people
> who have become aware of issues may have legal and other obligations to
> their
> users, it would also add a fairly strong incentive for a large operator not
> to share any issues that they, or a contractor, had found until they had
> completed a mitigation.
>
> Perhaps:
>
> 5) Have the security team discuss with the discoverer if fixes should be
> permitted during the embargo period before the discovery is announced to
> the list.
Right -- I think that the general approach is almost always "defer to
the discoverer", specifically to encourage early reporting. Perhaps
it's worth making more explicit somewhere.
-George
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |