[PATCH v2 SECURITY-POLICY 6/9] Explicitly permit within-list information sharing during embargo

From: Ian Jackson <ijackson@chiark.greenend.org.uk>
To: xen-devel@lists.xenproject.org
Cc: Ian Jackson <Ian.Jackson@eu.citrix.com>,
	Ian Jackson <ijackson@chiark.greenend.org.uk>
Subject: [PATCH v2 SECURITY-POLICY 6/9] Explicitly permit within-list information sharing during embargo
Date: Fri, 23 Jan 2015 19:31:17 +0000	[thread overview]
Message-ID: <1422041480-1164-7-git-send-email-ijackson@chiark.greenend.org.uk> (raw)
In-Reply-To: <1422041480-1164-1-git-send-email-ijackson@chiark.greenend.org.uk>

Permitting sharing of embargoed fixes amongst predisclosure list
seemed to have appropriate consensus.

IMPLEMENTATION TASKS:
 * Send a notification to the existing predisclosure list members
   informing them that they have been subscribed to the new list.
   Notice should point them to the policy section on filtering
   by List-Id, and offer to unsubscribe them from both lists if
   they prefer.
 * Create the new mailing list, and
   - check that it can be emailed from outside
   - that messages are held for moderation and can be approved

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>

---
v2: Obfuscate -discuss@ list's full email address with <dot>
    and <span>.
---
 security_vulnerability_process.html |   21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/security_vulnerability_process.html b/security_vulnerability_process.html
index de8fd44..2d32e51 100644
--- a/security_vulnerability_process.html
+++ b/security_vulnerability_process.html
@@ -224,6 +224,27 @@ situations are expected to be rare.</p>
 <p><em>NOTE:</em> Prior v2.2 of this policy (25 June 2014) it was
 permitted to also make available the allocated CVE number. This is no
 longer permitted in accordance with MITRE policy.</p>
+<h3>Information-sharing amongst predisclosure list members</h3>
+<p>Predisclosure list members are allowed to share fixes to embargoed issues,
+analysis, etc., with the security teams of other list members.
+Technical measures must be taken to prevents non-list-member
+organisations, or unauthorised staff in list-member organisations,
+from obtaining the embargoed materials.</p>
+<p>The Xen Project provides the mailing list
+<code>xen-security-issues-discuss@lists.xenproject&lt;do<span>t&gt;</span>org</code>
+for this purpose.  List members are encouraged to use it but
+may share with other list members' security teams via other
+channels.</p>
+<p>The <code>-discuss</code> list's distribution is identical to that of the primary
+predisclosure list <code>xen-security-issues</code>.  Recipient organisations who
+do not wish to receive all of the traffic on -discuss should use
+recipient-side email filtering based on the provided <code>List-Id</code>.</p>
+<p>The <code>-discuss</code> list is moderated by the Xen Project Security Team.
+Announcements of private availability of fixed versions, and
+technical messages about embargoed advisories, will be approved.
+Messages dealing with policy matters will be rejected with a
+reference to the Security Team contact address and/or public Xen
+mailing lists.</p>
 <h3>Predisclosure list membership application process</h3>
 <p>Organisations who meet the criteria should contact
 predisclosure-applications@xenproject&lt;d<span>ot</span>&gt;org
-- 
1.7.10.4
