On 15.07.2021 23:23, Charles-H. Schulz wrote:
> Hello,
>
> I /we /Vates would like to suggest some changes to the policy regarding the
> enrollment to the pre-disclosure mailing list of the Xen Security Team.
>
> We have had some talks with the French national CERT who has a need to be the
> recipient of such a list. This national CERT -and in my experience other
> national CERTs such as the NIST for instance- is in constant contact with a
> large Xen userbase that is mostly made up of large parts of the public sector
> as well as critical infrastructure operators belonging to the private
> sector. For confidentiality reasons they cannot disclose who uses Xen and
> where it is used nor who may be using it internally or within the related
> national cybersecurity authority.
>
> Because of that, their request may not be clear or matching the existing
> criteria for inclusion in the mailing list. National CERTs are trusted
> actors and have historically been among the very first entities to define,
> advocate for and put in practice the very notion of responsible
> disclosure. Much of the current practice of Open Source projects in that
> regard actually stems from CERTs. As part of their policies and processes
> regarding vulnerability disclosure, the notion of confidentiality and
> documented, waterfall-like processes of disclosure is play an integral
> part of
> how they handle informaton and publicity around vulnerability. As a result,
> national CERTs (and the French National CERT) do not spread undisclosed
> vulnerability without following established and agreed-upon processes. Such
> processes include, in our instance, the ones defined and followed by the Xen
> Security Team. Compliance with these are the first criteria to earn trust and
> respect from the ecosystem and the downstream users. You can see an example
> of their work here: https://www.cert.ssi.gouv.fr/
>
> Part of the mission of the French National CERT is to work with
> critical infrastructure providers in securing their IT.
> This kind of expertise entails the securing of these information
> systems before any unforeseen incident as well as after the incident
> (incident remediation).
> None of the tasks involved imply the communication of zero-day types
> of vulnerabilities or vulnerabilities that are unpublished to the
> downstream users.
Would you mind shedding some light on the benefits of a national CERT
being in the know of unpublished vulnerabilities when they can't share
that knowledge with their downstreams, and hence their downstreams -
as long as they aren't themselves members of our predisclosure list -
would still be zero-dayed at the time of publication of such
vulnerabilities? Shouldn't their advice to their downstreams rather be
to direct them towards applying for pre-disclosure list membership?
As to the actual policy - how would you propose to categorize such
organizations, i.e. how would a new bullet point in the present
"
This includes:
Public hosting providers;
Large-scale organisational users of Xen;
Vendors of Xen-based systems;
Distributors of operating systems with Xen support.
"
look like in your opinion? This is pretty important imo, as it will
need to be understood who else might then become eligible.
Jan
