oss-sec mailing list archives
Xen vulnerability disclosure process, recent timeline
From: Solar Designer <solar () openwall com>
Date: Mon, 25 Jun 2012 13:30:06 +0400
Hi, Here's a surprisingly detailed posting on Xen's vulnerability disclosure process and how the recent set of issues was handled (detailed timeline): http://lists.xen.org/archives/html/xen-devel/2012-06/msg01072.html As always, this is all about tradeoffs, and many of the issues sound very familiar - yet I appreciate this level of transparency. Regarding Xen's "pre-disclosure list", are messages on it PGP-encrypted to the recipients? Perhaps this should be made a requirement and mentioned at http://www.xen.org/projects/security_vulnerability_process.html It feels likely that in practice most leaks will be via means unaffected by the use of encryption, yet using PGP encryption is worthwhile. Alexander
Current thread:
- Xen vulnerability disclosure process, recent timeline Solar Designer (Jun 25)