[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH][security policy] embargo control and crediting of discoverer

  • To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Tue, 23 Dec 2025 18:03:25 +0100
  • Autocrypt: addr=jbeulich@xxxxxxxx; keydata= xsDiBFk3nEQRBADAEaSw6zC/EJkiwGPXbWtPxl2xCdSoeepS07jW8UgcHNurfHvUzogEq5xk hu507c3BarVjyWCJOylMNR98Yd8VqD9UfmX0Hb8/BrA+Hl6/DB/eqGptrf4BSRwcZQM32aZK 7Pj2XbGWIUrZrd70x1eAP9QE3P79Y2oLrsCgbZJfEwCgvz9JjGmQqQkRiTVzlZVCJYcyGGsD /0tbFCzD2h20ahe8rC1gbb3K3qk+LpBtvjBu1RY9drYk0NymiGbJWZgab6t1jM7sk2vuf0Py O9Hf9XBmK0uE9IgMaiCpc32XV9oASz6UJebwkX+zF2jG5I1BfnO9g7KlotcA/v5ClMjgo6Gl MDY4HxoSRu3i1cqqSDtVlt+AOVBJBACrZcnHAUSuCXBPy0jOlBhxPqRWv6ND4c9PH1xjQ3NP nxJuMBS8rnNg22uyfAgmBKNLpLgAGVRMZGaGoJObGf72s6TeIqKJo/LtggAS9qAUiuKVnygo 3wjfkS9A3DRO+SpU7JqWdsveeIQyeyEJ/8PTowmSQLakF+3fote9ybzd880fSmFuIEJldWxp Y2ggPGpiZXVsaWNoQHN1c2UuY29tPsJgBBMRAgAgBQJZN5xEAhsDBgsJCAcDAgQVAggDBBYC AwECHgECF4AACgkQoDSui/t3IH4J+wCfQ5jHdEjCRHj23O/5ttg9r9OIruwAn3103WUITZee e7Sbg12UgcQ5lv7SzsFNBFk3nEQQCACCuTjCjFOUdi5Nm244F+78kLghRcin/awv+IrTcIWF hUpSs1Y91iQQ7KItirz5uwCPlwejSJDQJLIS+QtJHaXDXeV6NI0Uef1hP20+y8qydDiVkv6l IreXjTb7DvksRgJNvCkWtYnlS3mYvQ9NzS9PhyALWbXnH6sIJd2O9lKS1Mrfq+y0IXCP10eS FFGg+Av3IQeFatkJAyju0PPthyTqxSI4lZYuJVPknzgaeuJv/2NccrPvmeDg6Coe7ZIeQ8Yj t0ARxu2xytAkkLCel1Lz1WLmwLstV30g80nkgZf/wr+/BXJW/oIvRlonUkxv+IbBM3dX2OV8 AmRv1ySWPTP7AAMFB/9PQK/VtlNUJvg8GXj9ootzrteGfVZVVT4XBJkfwBcpC/XcPzldjv+3 HYudvpdNK3lLujXeA5fLOH+Z/G9WBc5pFVSMocI71I8bT8lIAzreg0WvkWg5V2WZsUMlnDL9 mpwIGFhlbM3gfDMs7MPMu8YQRFVdUvtSpaAs8OFfGQ0ia3LGZcjA6Ik2+xcqscEJzNH+qh8V m5jjp28yZgaqTaRbg3M/+MTbMpicpZuqF4rnB0AQD12/3BNWDR6bmh+EkYSMcEIpQmBM51qM EKYTQGybRCjpnKHGOxG0rfFY1085mBDZCH5Kx0cl0HVJuQKC+dV2ZY5AqjcKwAxpE75MLFkr wkkEGBECAAkFAlk3nEQCGwwACgkQoDSui/t3IH7nnwCfcJWUDUFKdCsBH/E5d+0ZnMQi+G0A nAuWpQkjM1ASeQwSHEeAWPgskBQL
  • Cc: "committers@xxxxxxxxxxxxxx" <committers@xxxxxxxxxxxxxx>, "community.manager@xxxxxxxxxxxxxx" <community.manager@xxxxxxxxxxxxxx>
  • Delivery-date: Tue, 23 Dec 2025 17:07:34 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
This is as per discussion at an earlier Community Call.

Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
---
Btw, what does "(b)-(f)" refer to under "Specific Process", item 3, sub-
item 5?

--- content/about/security-policy.md
+++ content/about/security-policy.md
@@ -103,6 +103,8 @@ Vulnerabilities reported against other X
 
     At this stage the advisory will be clearly marked with the embargo date.
 
+    Unless requested otherwise, the discoverer will be credited already with 
the pre-release.
+
 5.  **Advisory public release:**At the embargo date we will publish the 
advisory, and push bugfix changesets to public revision control trees.Public 
advisories will be posted to xen-devel, xen-users and xen-annnounce and will be 
added to the [Security Announcements Page](http://xenbits.xen.org/xsa/) (note 
that Advisories before XSA-26 were published 
[here](http://wiki.xenproject.org/wiki/Security_Announcements_%28Historical%29))
 . Copies will also be sent to the pre-disclosure list.
 6.  **Updates**If new information or better patches become available, or we 
discover mistakes, we may issue an amended (revision 2 or later) public 
advisory. This will also be sent to the pre-disclosure list.
 7.  **Post embargo transparency:**During an embargo period the Security 
Response Team may be required to make potentially controverial decisions in 
private, since they cannot confer with the community without breaking the 
embargo. The Security Response Team will attempt to make such decisions 
following the guidance of this document and where necessary their own best 
judgement. Following the embargo period any such decisions will be disclosed to 
the community in the interests of transparency and to help provide guidance 
should a similar decision be required in the future.
@@ -118,6 +120,8 @@ As discussed, we will negotiate with dis
 
 When a discoverer reports a problem to us and requests longer delays than we 
would consider ideal, we will honour such a request if reasonable. If a 
discoverer wants an accelerated disclosure compared to what we would prefer, we 
naturally do not have the power to insist that a discoverer waits for us to be 
ready and will honour the date specified by the discoverer.
 
+In any event at the time of pre-disclosure control over a possible late change 
of the public disclosure date moves from the discoverer to the Security 
Response Team. This is to avoid pre-disclosure list members putting pressure on 
the individual to extend or shorten the embargo.
+
 Naturally, if a vulnerability is being exploited in the wild we will make 
immediately public release of the advisory and patch(es) and expect others to 
do likewise.
 
 ## Pre-disclosure list
@@ -297,6 +301,7 @@ This is a list of organisations on the p
 
 ## Change History
 
+-   **v3.26 Dec 23rd 2025:** Changed embargo control
 -   **v3.25 Dec 23rd 2025:** Removed iWeb Technologies Inc.
 -   **v3.24 Dec 5th 2024:** Added NixOS
 -   **v3.23 Aug 8th 2019:** Added DornerWorks Ltd

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.