From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Subject: [PATCH v2 SECURITY-POLICY 8/9] Clarify what
	announcements may be made by to service users
Date: Fri, 23 Jan 2015 19:31:19 +0000
Message-ID: <1422041480-1164-9-git-send-email-ijackson@chiark.greenend.org.uk>
References: <21689.27383.339939.319567@chiark.greenend.org.uk>
	<1422041480-1164-1-git-send-email-ijackson@chiark.greenend.org.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <Ian.Jackson@citrix.com>) id 1YEjxH-0007Ax-BN
	for xen-devel@lists.xenproject.org; Fri, 23 Jan 2015 19:31:43 +0000
In-Reply-To: <1422041480-1164-1-git-send-email-ijackson@chiark.greenend.org.uk>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: xen-devel@lists.xenproject.org
Cc: Ian Jackson <Ian.Jackson@eu.citrix.com>, Ian Jackson <ijackson@chiark.greenend.org.uk>
List-Id: xen-devel@lists.xenproject.org

Service provider list members should not be prevented from being
reasonably honest with their users.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
---
 security_vulnerability_process.html |    8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/security_vulnerability_process.html b/security_vulnerability_process.html
index 7412652..3b9c1ba 100644
--- a/security_vulnerability_process.html
+++ b/security_vulnerability_process.html
@@ -222,6 +222,14 @@ restrictions only insofar as it is necessary to prevent the exposure
 of technicalities (for example, differences in behaviour) which
 present a significant risk of rediscovery of the vulnerability.  Such
 situations are expected to be rare.</p>
+<p>Where the list member is a service provider who intends to take
+disruptive action such as rebooting as part of deploying a fix: the
+list member's communications to its users about the service disruption
+may mention that the disruption is to correct a security issue, and
+relate it to the public information about the issue (as listed above).
+This applies whether the deployment occurs during the embargo (with
+permission - see above) or is planned for after the end of the
+embargo.</p>
 <p><em>NOTE:</em> Prior v2.2 of this policy (25 June 2014) it was
 permitted to also make available the allocated CVE number. This is no
 longer permitted in accordance with MITRE policy.</p>
-- 
1.7.10.4