All of lore.kernel.org
 help / color / mirror / Atom feed
From: Ian Campbell <ian.campbell@citrix.com>
To: xen-devel@lists.xen.org
Cc: Ian Jackson <Ian.Jackson@eu.citrix.com>,
	Ian Campbell <ian.campbell@citrix.com>
Subject: [PATCH 1/6] Clarify what info predisclosure list members may share during an embargo
Date: Thu, 23 Aug 2012 11:37:49 +0100	[thread overview]
Message-ID: <1345718274-7900-1-git-send-email-ian.campbell@citrix.com> (raw)
In-Reply-To: <1345718230.12501.79.camel@zakaz.uk.xensource.com>

See <20448.49637.38489.246434@mariner.uk.xensource.com>, section
  "7. Public communications during the embargo period"
---
 security_vulnerability_process.html |    8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/security_vulnerability_process.html b/security_vulnerability_process.html
index d1a6629..eff108a 100644
--- a/security_vulnerability_process.html
+++ b/security_vulnerability_process.html
@@ -195,9 +195,17 @@ if(ns4)_d.write("<scr"+"ipt type=text/javascript src=/globals/mmenuns4.js><\/scr
     should not make available, even to their own customers and partners:<ul>
        <li>the Xen.org advisory</li>
        <li>their own advisory</li>
+       <li>the impact, scope, set of vulnerable systems or the nature
+       of the vulnerability</li>
        <li>revision control commits which are a fix for the problem</li>
        <li>patched software (even in binary form) without prior consultation with security@xen and/or the discoverer.</li>
     </ul></p>    
+    <p>List members are allowed to make available to their users only the following:<ul>
+       <li>The existance of an issue</li>
+       <li>The assigned XSA and CVE numbers</li>
+       <li>The planned disclosure date</li>
+    </ul></p>
+
     <p>Organisations who meet the criteria should contact security@xen if they wish to receive pre-disclosure of advisories.</p>    
     <p>The pre-disclosure list will also receive copies of public advisories when they are first issued or updated.</p>
     
-- 
1.7.10.4

  reply	other threads:[~2012-08-23 10:37 UTC|newest]

Thread overview: 55+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-06-19 18:16 Security vulnerability process, and CVE-2012-0217 Ian Jackson
2012-06-20  8:49 ` Jan Beulich
2012-06-20  9:45   ` George Dunlap
2012-06-20 10:32     ` Jan Beulich
2012-07-02 13:59       ` Ian Campbell
2012-07-02 14:58         ` Jan Beulich
2012-07-02 15:04           ` Ian Campbell
2012-07-02 15:17         ` Alan Cox
2012-07-02 15:20           ` Ian Campbell
2012-06-28 18:30   ` Alan Cox
2012-07-04  9:27     ` Ian Campbell
2012-07-04 10:04       ` John Haxby
2012-06-29 10:26   ` George Dunlap
2012-06-29 10:41     ` Jan Beulich
2012-07-02 14:00   ` Ian Campbell
2012-06-23 19:42 ` Matt Wilson
2012-06-28 17:45   ` George Dunlap
2012-07-02 13:59     ` Ian Campbell
2012-06-27 18:07 ` Thomas Goirand
2012-06-27 19:14   ` Alan Cox
2012-06-27 19:30   ` Sander Eikelenboom
2012-06-28  9:28   ` Lars Kurth
2012-07-02 13:58     ` Ian Campbell
2012-07-02 14:51       ` Jan Beulich
2012-07-02 14:57         ` Ian Campbell
2012-07-03 22:03     ` Matt Wilson
2012-07-04 10:33       ` Ian Campbell
2012-07-04 11:24       ` Stefano Stabellini
2012-07-04 12:36         ` George Dunlap
2012-07-04 12:52           ` Jan Beulich
2012-07-04 12:56             ` George Dunlap
2012-07-04 13:01               ` Jan Beulich
2012-07-04 13:30               ` Stefano Stabellini
2012-07-04 14:09                 ` Jan Beulich
2012-07-04 15:09                   ` Stefano Stabellini
2012-07-06 14:36                     ` John Haxby
2012-07-06 16:39                 ` Matthew Allen
2012-07-06 17:24                   ` George Dunlap
2012-06-29 10:01   ` George Dunlap
2012-06-29 15:48     ` Thomas Goirand
2012-07-02 13:59     ` Ian Campbell
2012-07-02 15:13       ` Alan Cox
2012-07-03 11:12       ` George Dunlap
2012-07-03 14:18         ` Stefano Stabellini
2012-08-23 10:37 ` Ian Campbell
2012-08-23 10:37   ` Ian Campbell [this message]
2012-08-23 10:37   ` [PATCH 2/6] Clarifications to predisclosure list subscription instructions Ian Campbell
2012-08-23 10:37   ` [PATCH 3/6] Clarify the scope of the process to just the hypervisor project Ian Campbell
2012-08-23 10:37   ` [PATCH 4/6] Discuss post-embargo disclosure of potentially controversial private decisions Ian Campbell
2012-08-23 10:37   ` [PATCH 5/6] Patch review, expert advice and targetted fixes Ian Campbell
2012-08-23 10:37   ` [PATCH 6/6] Declare version 1.3 Ian Campbell
2012-09-24 11:25   ` Security vulnerability process, and CVE-2012-0217 [vote?] Lars Kurth
2012-10-01 16:38     ` Ian Jackson
2012-10-03 17:03       ` Lars Kurth
2012-10-04  8:39       ` Lars Kurth

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1345718274-7900-1-git-send-email-ian.campbell@citrix.com \
    --to=ian.campbell@citrix.com \
    --cc=Ian.Jackson@eu.citrix.com \
    --cc=xen-devel@lists.xen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.