Suggested changes to the admission policy of the vulnerability pre-disclosure list - Charles-H. Schulz

From: "Charles-H. Schulz" <charles.schulz@vates.fr>
To: xen-devel@lists.xenproject.org
Subject: Suggested changes to the admission policy of the vulnerability pre-disclosure list
Date: Thu, 15 Jul 2021 21:23:16 +0000	[thread overview]
Message-ID: <87r1fzclw0.fsf@vates.fr> (raw)

[-- Attachment #1: Type: text/plain, Size: 2417 bytes --]

Hello,

I /we /Vates would like to suggest some changes to the policy regarding the
enrollment to the pre-disclosure mailing list of the Xen Security Team.

We have had some talks with the French national CERT who has a need to be the
recipient of such a list. This national CERT -and in my experience other
national CERTs such as the NIST for instance- is in constant contact with a
large Xen userbase that is mostly made up of large parts of the public sector
as well as critical infrastructure operators belonging to the private
sector. For confidentiality reasons they cannot disclose who uses Xen and
where it is used nor who may be using it internally or within the related
national cybersecurity authority.

Because of that, their request may not be clear or matching the existing
criteria for inclusion in the mailing list. National CERTs are trusted
actors and have historically been among the very first entities to define,
advocate for and put in practice the very notion of responsible
disclosure. Much of the current practice of Open Source projects in that
regard actually stems from CERTs. As part of their policies and processes
regarding vulnerability disclosure, the notion of confidentiality and
documented, waterfall-like processes of disclosure is play an integral
part of
how they handle informaton and publicity around vulnerability. As a result,
national CERTs (and the French National CERT) do not spread undisclosed
vulnerability without following established and agreed-upon processes. Such
processes include, in our instance, the ones defined and followed by the Xen
Security Team. Compliance with these are the first criteria to earn trust and
respect from the ecosystem and the downstream users. You can see an example
of their work here: https://www.cert.ssi.gouv.fr/

Part of the mission of the French National CERT is to work with
critical infrastructure providers in securing their IT.
This kind of expertise entails the securing of these information
systems before any unforeseen incident as well as after the incident
(incident remediation).
None of the tasks involved imply the communication of zero-day types
of vulnerabilities or vulnerabilities that are unpublished to the
downstream users.

I hope this clarifies the request and I'm looking forward to your feedback.

Best regards,

-- 
Charles-H. Schulz
Chief Strategy Officer - CSO
XCP-ng & Xen Orchestra - Vates solutions

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 866 bytes --]