Proposed Xen embargo change (Source: http://www.xenproject.org/security-policy.html)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
|--- xen-embargo.txt 2015-05-26 09:23:17.431489388 -0500
|+++ xen-embargo-updated.txt 2015-05-26 09:37:05.318995814 -0500
|@@ -1,13 +1,15 @@
|Embargo and disclosure schedule
|If a vulnerability is not already public, we would like to notify significant distributors and operators of Xen so that they can prepare patched software in advance. This will help minimise the degree to which there are Xen users who are vulnerable but can't get patches.
|As discussed, we will negotiate with discoverers about disclosure schedule. Our usual starting point for that negotiation, unless there are reasons to diverge from this, would be:
|1) One working week between notification arriving at security@xenproject and the issue of our own advisory to our predisclosure list. We will use this time to gather information and prepare our advisory, including required patches.
|2) Two working weeks between issue of our advisory to our predisclosure list and publication.
|When a discoverer reports a problem to us and requests longer delays than we would consider ideal, we will honour such a request if reasonable. If a discoverer wants an accelerated disclosure compared to what we would prefer, we naturally do not have the power to insist that a discoverer waits for us to be ready and will honour the date specified by the discoverer.
|+In the event that a two week embargo cannot be guaranteed, we will send a draft with information about the vulnerability to the pre-disclosure list as soon as possible, even if patches have not yet been written or tested. An updated draft will be sent to the pre-disclosure list once patches become available.
|Naturally, if a vulnerability is being exploited in the wild we will make immediately public release of the advisory and patch(es) and expect others to do likewise.