Skip to content

Instantly share code, notes, and snippets.

Last active August 29, 2015 14:21
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save major/1a4f7ba7787b754845e9 to your computer and use it in GitHub Desktop.
Proposed Xen embargo change (Source:
--- xen-embargo.txt 2015-05-26 09:23:17.431489388 -0500
+++ xen-embargo-updated.txt 2015-05-26 09:37:05.318995814 -0500
@@ -1,13 +1,15 @@
Embargo and disclosure schedule
If a vulnerability is not already public, we would like to notify significant distributors and operators of Xen so that they can prepare patched software in advance. This will help minimise the degree to which there are Xen users who are vulnerable but can't get patches.
As discussed, we will negotiate with discoverers about disclosure schedule. Our usual starting point for that negotiation, unless there are reasons to diverge from this, would be:
1) One working week between notification arriving at security@xenproject and the issue of our own advisory to our predisclosure list. We will use this time to gather information and prepare our advisory, including required patches.
2) Two working weeks between issue of our advisory to our predisclosure list and publication.
When a discoverer reports a problem to us and requests longer delays than we would consider ideal, we will honour such a request if reasonable. If a discoverer wants an accelerated disclosure compared to what we would prefer, we naturally do not have the power to insist that a discoverer waits for us to be ready and will honour the date specified by the discoverer.
+In the event that a two week embargo cannot be guaranteed, we will send a draft with information about the vulnerability to the pre-disclosure list as soon as possible, even if patches have not yet been written or tested. An updated draft will be sent to the pre-disclosure list once patches become available.
Naturally, if a vulnerability is being exploited in the wild we will make immediately public release of the advisory and patch(es) and expect others to do likewise.
Copy link

antonym commented May 26, 2015


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment