Re: Suggested changes to the admission policy of the vulnerability pre-disclosure list

[George Dunlap <dunlapg@umich.edu>]

[-- Attachment #1: Type: text/plain, Size: 4557 bytes --]

On Mon, Jul 19, 2021 at 9:49 AM Charles-H. Schulz <charles.schulz@vates.fr>
wrote:

>
> Jan Beulich @ 2021-07-19 08:44 CEST:
>
> >>
> >> They act as a resource center for their downstreams, but the
> information goes
> >> top down, i.e from the software developer to the downstream, not the
> >> opposite. Also how it entails an even bigger change to the list policy
> is
> >> unclear to me.
> >
> > For things to make sense (as you seem to agree with as per further up),
> > if their downstreams aren't to subscribe to our (and perhaps other)
> > pre-disclosure list themselves, the CERTs would need to act as a proxy,
> > in that they'd be permitted to relay the information before the embargo
> > ends. I didn't think there would be much of a difficulty seeing that
> > this would be more of a change to the policy.
>
> Indeed, because you assume that CERTs will communicate information before
> they are public. But they don't work that way in that they act as the legal
> and actual hub for the public information and listing of vulnerabilities
> reports (CVEs etc.) What they do before the end of the embargo date I
> already
> explained, and that specifically does not entail sharing the information
> with
> downstream users. So to me there is no big change of policy - this is the
> highway patrol sharing the license plate numbers of criminals or suspects
> with the city police.
>

Nonetheless, you still haven't made a clear case why being informed of the
vulnerabilities *under embargo* is necessary.  Anyone can sign up to the
xen-announce mailing list and receive notifications of XSAs at the moment
the embargo lifts.  We advertise *that new advisories are coming out* on
the main XSA webpage [1] and in a machine-readable JSON file [2] as soon as
the predisclosure happens.  (There are also libraries [3] to consume the
JSON file, and an example program [4] which could be run in a cron job to
alert someone to upcoming public XSA disclosures.) The delta between the
predisclosure and the public disclosure is typically two weeks.

Someone could argue that all of the activities you describe -- looking for
larger patterns of vulnerabilities, acting as a clearinghouse /
notification channel / advisory system for downstreams, etc -- could be
done by observing the public disclosures, particularly if suitable people
were alerted to upcoming public disclosures (and thus ready to process them
as soon as they come out).  What is needed is to make the case that this is
insufficient -- that having the extra two weeks to process things before
the public disclosure will be of material benefit in those activities.

(Hopefully it should be clear that I'm inviting you to make such a case.)

[1] https://xenbits.xenproject.org/xsa/
[2] https://xenbits.xenproject.org/xsa/xsa.json
[3]
https://gitlab.com/xen-project/people/gdunlap/go-xenlib/-/tree/master/xsalib
[4]
https://gitlab.com/xen-project/people/gdunlap/go-xenlib/-/tree/master/scripts/xsa-alert


> >> The what if question is not a valid one, as you are either recognized
> as a
> >> national CERT (there may sometimes be more than one) or you're not, by
> >> regulatory approval of some sort.  Nobody else can claim they're a
> national
> >> CERT.
> >> You can be a private CERT, but that's out of the scope of my request.
> >>
> >>> The present items on the list try to use pretty generic
> >>> terms, while your suggestion is pretty specific.
> >>
> >> So how is that a problem in our this specific instance?
> >
> > Why would we exclude private CERTs? I could easily see there being
> > countries which have no "national CERT" (for a variety of reasons),
> > with some private / non-government organization jumping in.
> >
>
> This is a good point I'm not making :)
> My request is solely about national CERTs, I do not feel that I have enough
> standing here requesting that private CERTs be added to the list, although
> I'm sure there's a point to be made here as well.
>

Jan, I think if you think it's better to include "private CERTs" (do such
things exist?), then it should be up to you (or someone else in favor of
such a thing) to craft the criteria for inclusion.  I personally think
limiting ourselves to national CERTs to begin with is fine.

In any case, what's needed to move things forward (absent further
discussion) is:

1. Specific proposed changes to the security policy to be hammered out

2. Someone to hold a project-wide vote, in accordance with the XenProject
Governance Document.

Normally #2 would be me, but today is my last day until January.

 -George

[-- Attachment #2: Type: text/html, Size: 6080 bytes --]