Skip to content

Instantly share code, notes, and snippets.

@major

major/xen-embargo.diff

Last active Aug 29, 2015
Embed
What would you like to do?
Proposed Xen embargo change (Source: http://www.xenproject.org/security-policy.html)
--- xen-embargo.txt 2015-05-26 09:23:17.431489388 -0500
+++ xen-embargo-updated.txt 2015-05-26 09:37:05.318995814 -0500
@@ -1,13 +1,15 @@
Embargo and disclosure schedule
If a vulnerability is not already public, we would like to notify significant distributors and operators of Xen so that they can prepare patched software in advance. This will help minimise the degree to which there are Xen users who are vulnerable but can't get patches.
As discussed, we will negotiate with discoverers about disclosure schedule. Our usual starting point for that negotiation, unless there are reasons to diverge from this, would be:
1) One working week between notification arriving at security@xenproject and the issue of our own advisory to our predisclosure list. We will use this time to gather information and prepare our advisory, including required patches.
2) Two working weeks between issue of our advisory to our predisclosure list and publication.
When a discoverer reports a problem to us and requests longer delays than we would consider ideal, we will honour such a request if reasonable. If a discoverer wants an accelerated disclosure compared to what we would prefer, we naturally do not have the power to insist that a discoverer waits for us to be ready and will honour the date specified by the discoverer.
+In the event that a two week embargo cannot be guaranteed, we will send a draft with information about the vulnerability to the pre-disclosure list as soon as possible, even if patches have not yet been written or tested. An updated draft will be sent to the pre-disclosure list once patches become available.
+
Naturally, if a vulnerability is being exploited in the wild we will make immediately public release of the advisory and patch(es) and expect others to do likewise.
@pvo

This comment has been minimized.

Copy link

@pvo pvo commented May 26, 2015

+1

@antonym

This comment has been minimized.

Copy link

@antonym antonym commented May 26, 2015

+1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.