[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Security policy ambiguities - XSA-108 process post-mortem

On Mon, Jan 19, 2015 at 8:36 PM, James McKenzie
<james.mckenzie@xxxxxxxxxxx> wrote:
> On 29/10/14 13:27, James Bulpin wrote:
>> George Dunlap writes ("Security policy ambiguities - XSA-108 process
>> post-mortem"):
>>> [snip]
>>> As far as I can tell we basically have the following options:
>>> 1. Never allow people to deploy during the embargo period.
>>> 2. Always allow people to deploy during the embargo period.
>>> 3. Have the security team attempt to evaluate the risk.
>>> 4. Have individual cloud operators evaluate the risk.
>>> This seems like a recipe for disaster.
> 1 and 3 seem like a recipe for disaster as organizations and individual
> people
> who have become aware of issues may have legal and other obligations to
> their
> users, it would also add a fairly strong incentive for a large operator not
> to share any issues that they, or a contractor, had found until they had
> completed a mitigation.
> Perhaps:
> 5) Have the security team discuss with the discoverer if fixes should be
> permitted during the embargo period before the discovery is announced to
> the list.

Right -- I think that the general approach is almost always "defer to
the discoverer", specifically to encourage early reporting.  Perhaps
it's worth making more explicit somewhere.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.