[PATCH v2 SECURITY-POLICY 5/9] Tighten, and make more objective, predisclosure list application

[Ian Jackson <ijackson@chiark.greenend.org.uk>]

Applicants should be required to:

  - Provide information on their public web pages which makes
    it clear that and why they are eligible;

  - Specifically, publicly state that and how they are using Xen
    (so that the Security Team can verify eligibility);

  - Provide a way for members of the public to responsibly report
    security problems to the applicant, just as the Xen Project does.

The Security Team should be forbidden from trying to hunt down
eligibility information etc. and should instead be mandated to reject
incomplete requests.

Also remove the "case-by-case-basis" membership exception.  This is
not consistent with the new objective membership application process.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
---
 security_vulnerability_process.html |   79 ++++++++++++++++++++++++-----------
 1 file changed, 54 insertions(+), 25 deletions(-)

diff --git a/security_vulnerability_process.html b/security_vulnerability_process.html
index 8870f8d..de8fd44 100644
--- a/security_vulnerability_process.html
+++ b/security_vulnerability_process.html
@@ -176,9 +176,7 @@ development, is very likely to be accepted; whereas a project with a
 single developer who spends a few hours a month will most likey be
 rejected.</p>
 <p>For organizational users, a rule of thumb is that "large scale"
-means an installed base of 300,000 or more Xen guests. Other
-well-established organisations with a mature security response process
-will be considered on a case-by-case basis.</p>
+means an installed base of 300,000 or more Xen guests.</p>
 <p>The list of entities on the pre-disclosure list is public. (Just
 the list of projects and organisations, not the actual email
 addresses.)</p>
@@ -231,35 +229,66 @@ longer permitted in accordance with MITRE policy.</p>
 predisclosure-applications@xenproject&lt;d<span>ot</span>&gt;org
 (which is a public mailing list) if they wish to receive
 pre-disclosure of advisories.
-<p>Please include in the e-mail:</p>
+<p>You must include in the e-mail:</p>
 <ul>
   <li>The name of your organization</li>
-  <li>A brief description of why you fit the criteria, along with
-  evidence to support the claim</li>
-  <li>A security alias e-mail address (no personal addresses -- see
-  below)</li>
-  <li>A link to a web page with your security policy statement</li>
+  <li>Domain name(s) which you use to provide Xen software/services</li>
+  <li>A brief description of why you fit the criteria</li>
+  <li>If not all of your products/services use Xen, a list of (some
+  of) your products/services (or categories thereof) which do.</li>
+  <li>Link(s) to current public web pages, belonging to your
+  organisation, for each of following pieces of information:
+    <ul>
+      <li>Evidence of your status as a service/software provider:
+        <ul>
+          <li>If you are a public hosting provider, your public rates
+          or how to get a quote</li>
+          <li>If you are a software provider, how your
+          software can be downloaded or purchased</li>
+          <li>If you are an open-source project, a mailing list
+          archive and/or version control repository, with
+          active development</li>
+        </ul>
+      </li>
+      <li>Evidence of your status as a user/distributor of Xen:
+        <ul>
+          <li>Statements about, or descriptions of, your eligible
+          production services or released software, from which it is
+          immediately evident that they use Xen.
+        </ul>
+      </li>
+      <li>Information about your handling of security problems:
+        <ul>
+          <li>Your invitation to members of the public, who discover
+          security problems with your products/services, to report
+          them in confidence to you;
+          <li>Specifically, the contact information (email addresses or
+          other contact instructions) which such a member of the
+          public should use.
+        </ul>
+      </li>
+    </ul>
+    <p>Blog postings, conference presentations, social media pages,
+    Flash presentations, videos, sites which require registration,
+    anything password-protected, etc., are not acceptable.  PDFs of
+    reasonable size are acceptable so long as the URL you provide is
+    of a ordinary HTML page providing a link to the PDF.</p>
+    <p>If the pages are long and/or PDFs are involved, your email
+    should say which part of the pages and documents are relevant.</p>
+  </li>
   <li>A statement to the effect that you have read this policy and
   agree to abide by the terms for inclusion in the list, specifically
   the requirements to regarding confidentiality during an embargo
   period</li>
-  <li>Evidence that will be considered may include the following:
-    <ul>
-      <li>If you are a public hosting provider, a link to a web page
-      with your public rates</li>
-      <li>If you are a software provider, a link to a web page where
-      your software can be downloaded or purchased</li>
-      <li>If you are an open-source project, a link to a mailing list
-      archive and/or a version control repository demonstrating active
-      development</li>
-      <li>A public key signed with a key which is in the PGP "strong
-      set"</li>
-    </ul>
-  </li>
+  <li>The single (non-personal) email alias you wish added to the
+  predisclosure list.</li>
 </ul>
-<p>Organizations already on the list who do not have a security alias
-or have not sent a statement that they have read this policy and will
-abide by, it will be asked to do so. </p>
+<p>Your application will be determined by the Xen Project Security
+Team, and their decision posted to the list.  The Security Team has
+no discretion to accept applications which do not provide all of the
+information required above.</p>
+<p>If you are dissatisfied with the Security Team's decision you may
+appeal it via the Xen Project's governance processes.</p>
 <p>Organisations should not request subscription via the mailing list
 web interface.  Any such subscription requests will be rejected and
 ignored.</p>
-- 
1.7.10.4