Xen vulnerability disclosure process, recent timeline

[Solar Designer <solar () openwall com>]

Hi,

Here's a surprisingly detailed posting on Xen's vulnerability disclosure
process and how the recent set of issues was handled (detailed timeline):

http://lists.xen.org/archives/html/xen-devel/2012-06/msg01072.html

As always, this is all about tradeoffs, and many of the issues sound
very familiar - yet I appreciate this level of transparency.

Regarding Xen's "pre-disclosure list", are messages on it PGP-encrypted
to the recipients?  Perhaps this should be made a requirement and
mentioned at http://www.xen.org/projects/security_vulnerability_process.html

It feels likely that in practice most leaks will be via means unaffected
by the use of encryption, yet using PGP encryption is worthwhile.

Alexander