From mboxrd@z Thu Jan 1 00:00:00 1970 From: George Dunlap Subject: Re: Security vulnerability process, and CVE-2012-0217 Date: Wed, 4 Jul 2012 13:36:24 +0100 Message-ID: References: <20448.49637.38489.246434@mariner.uk.xensource.com> <4FEB4BDD.5040205@goirand.fr> <4FEC23B7.7020802@xen.org> <20120703220337.GC4332@US-SEA-R8XVZTX> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Stefano Stabellini Cc: Lars Kurth , Matt Wilson , "xen-devel@lists.xen.org" List-Id: xen-devel@lists.xenproject.org Let me toss another possibility out there. So far this discussion has assumed that we can't have all interested parties on a list. Is that true? Could we have a list that either anyone can join, or limited by some easily verifiable criteria (e.g., has a website, a company e-mail in the same domain, and can provide a scan of some official document)? Such a list would definitely be lower security than a more restricted list. So there would be two questions: 1. What would a reasonable criteria for this kind of list be? 2. How would disclosing to this list fit within the embargo period, and with the discloser's wishes (if any)? I think #2 would probably be: * Make sure the disclosure knows about the open nature of the list, and abide by their wishes. If the discloser considers the list to be a public disclosure, they may ask us not to announce to the list until the end of the embargo period, or until some period of time before the end (say, 1 week). * By default, suggest disclosing to the list as soon as we have a fix available, and then making a public announcement (on blogs / press releases / whatever) some time afterwards (say, 1 or 2 weeks). This is certainly more fair than options which have a list but limit the membership artificially by size. For those who think a public announcement does not significantly increase the risk, this is will be very similar to what they would have if we decided not to have a list at all. However, for those who believe that publicly announcing the vulnerability greatly increases the risk of exploitation, it will give them some extra time to patch their systems until that happens. There will be administrative work on the part of someone at xen.org to determine who is on the list or not; but it shouldn't require too much extra effort on the part of the security team. The only caveat I can think of is that it may increase the risk, during the time between the predisclosure and the public announcement, for those not on the list. We can basically assume that the list will have some blackhats. If the timeframe is anywhere near what some people have asked for (e.g., 3-4 weeks), then it might become worthwhile for people to develop an exploit to take advantage of people during that timeframe. This might be an acceptable cost, since those people *could* be on the list of they wanted. Thoughts? -George