|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: Suggested changes to the admission policy of the vulnerability pre-disclosure list
On 15.07.2021 23:23, Charles-H. Schulz wrote: > Hello, > > I /we /Vates would like to suggest some changes to the policy regarding the > enrollment to the pre-disclosure mailing list of the Xen Security Team. > > We have had some talks with the French national CERT who has a need to be the > recipient of such a list. This national CERT -and in my experience other > national CERTs such as the NIST for instance- is in constant contact with a > large Xen userbase that is mostly made up of large parts of the public sector > as well as critical infrastructure operators belonging to the private > sector. For confidentiality reasons they cannot disclose who uses Xen and > where it is used nor who may be using it internally or within the related > national cybersecurity authority. > > Because of that, their request may not be clear or matching the existing > criteria for inclusion in the mailing list. National CERTs are trusted > actors and have historically been among the very first entities to define, > advocate for and put in practice the very notion of responsible > disclosure. Much of the current practice of Open Source projects in that > regard actually stems from CERTs. As part of their policies and processes > regarding vulnerability disclosure, the notion of confidentiality and > documented, waterfall-like processes of disclosure is play an integral > part of > how they handle informaton and publicity around vulnerability. As a result, > national CERTs (and the French National CERT) do not spread undisclosed > vulnerability without following established and agreed-upon processes. Such > processes include, in our instance, the ones defined and followed by the Xen > Security Team. Compliance with these are the first criteria to earn trust and > respect from the ecosystem and the downstream users. You can see an example > of their work here: https://www.cert.ssi.gouv.fr/ > > Part of the mission of the French National CERT is to work with > critical infrastructure providers in securing their IT. > This kind of expertise entails the securing of these information > systems before any unforeseen incident as well as after the incident > (incident remediation). > None of the tasks involved imply the communication of zero-day types > of vulnerabilities or vulnerabilities that are unpublished to the > downstream users. Would you mind shedding some light on the benefits of a national CERT being in the know of unpublished vulnerabilities when they can't share that knowledge with their downstreams, and hence their downstreams - as long as they aren't themselves members of our predisclosure list - would still be zero-dayed at the time of publication of such vulnerabilities? Shouldn't their advice to their downstreams rather be to direct them towards applying for pre-disclosure list membership? As to the actual policy - how would you propose to categorize such organizations, i.e. how would a new bullet point in the present " This includes: Public hosting providers; Large-scale organisational users of Xen; Vendors of Xen-based systems; Distributors of operating systems with Xen support. " look like in your opinion? This is pretty important imo, as it will need to be understood who else might then become eligible. Jan
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |