On 05/27/2015 12:47 PM, Lars Kurth wrote:
> ...
> 4. Advisory pre-release:
>
> This occurs only if the advisory is embargoed (ie, the problem is not already
> public):
>
> As soon as our advisory is available, we will send it, including patches, to
> members of the Xen security pre-disclosure
> On 26 May 2015, at 17:34, Stefano Stabellini
> wrote:
>>
>> Thanks for the help, folks. I've tossed a proposed security policy change
>> into a Github gist[1].
>>
>> My proposal is to add this paragraph to the "Embargo and disclosure
>> schedule" section of the Xen Security Policy[2]:
>>
On 05/26/15 16:34, Major Hayden wrote:
> On 05/26/2015 11:50 AM, Stefano Stabellini wrote:
>> I would go for:
>
>> In the event that public disclosure is less than 15 days away, we will
>> send a draft with information about the vulnerability to the
>> pre-disclosure list as soon as possible, even
(Just adding Lars so he is aware and can run the formal vote once we
have consensus on a proposal for new text)
On Tue, 2015-05-26 at 15:38 +, Major Hayden wrote:
> On 05/26/2015 07:15 AM, Stefano Stabellini wrote:
> > On Fri, 22 May 2015, Major Hayden wrote:
> >> > On 05/22/2015 09:04 AM, Jan
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 05/26/2015 11:50 AM, Stefano Stabellini wrote:
> I would go for:
>
> In the event that public disclosure is less than 15 days away, we will
> send a draft with information about the vulnerability to the
> pre-disclosure list as soon as possible,
On Tue, 26 May 2015, Major Hayden wrote:
> On 05/26/2015 07:15 AM, Stefano Stabellini wrote:
> > On Fri, 22 May 2015, Major Hayden wrote:
> >> > On 05/22/2015 09:04 AM, Jan Beulich wrote:
> >>> > > If you were to ask for this only if the time gap until embargo expiry
> >>> > > was less than the def
On 05/26/2015 07:15 AM, Stefano Stabellini wrote:
> On Fri, 22 May 2015, Major Hayden wrote:
>> > On 05/22/2015 09:04 AM, Jan Beulich wrote:
>>> > > If you were to ask for this only if the time gap until embargo expiry
>>> > > was less than the default of two weeks, maybe I would buy this.
>> >
>>
On Fri, 22 May 2015, Major Hayden wrote:
> On 05/22/2015 09:04 AM, Jan Beulich wrote:
> > If you were to ask for this only if the time gap until embargo expiry
> > was less than the default of two weeks, maybe I would buy this.
>
> I'm good with that as well. I think we're saying:
>
> if embar
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 05/22/2015 09:04 AM, Jan Beulich wrote:
> If you were to ask for this only if the time gap until embargo expiry
> was less than the default of two weeks, maybe I would buy this.
I'm good with that as well. I think we're saying:
if embargo_len
>>> On 22.05.15 at 15:14, wrote:
> My request is that the Xen security team would send a pre-disclosure notice
> of the vulnerability as soon as permission from the discoverer is granted
> *even if* patches aren't available. For example, I'd like to receive a
> notice saying "there's a vulnera
On 05/22/2015 02:40 AM, Jan Beulich wrote:
> I realize this is being written under the impression of XSA-133, where
> the usual 2 week window between pre-disclosure and public disclosure
> was (almost) missing. But that's an exception, not the rule. Are you
> saying that the usual 2 week advance no
>>> On 21.05.15 at 15:03, wrote:
> Would it be possible to send out a pre-disclosure notice as soon as
> permission is granted from the discoverer and the vulnerability is verified
> as valid? In other words, could a pre-disclosure email be sent to parties on
> the pre-disclosure list *PRIOR*
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hello there,
I'd like to suggest a change to the Xen Security Problem Response Process[0].
The section I'm concerned with is here:
> As discussed, we will negotiate with discoverers about disclosure schedule.
> Our usual starting point for that
13 matches
Mail list logo
