Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 25 Jun 2012 13:30:06 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: security@....org
Subject: Xen vulnerability disclosure process, recent timeline

Hi,

Here's a surprisingly detailed posting on Xen's vulnerability disclosure
process and how the recent set of issues was handled (detailed timeline):

http://lists.xen.org/archives/html/xen-devel/2012-06/msg01072.html

As always, this is all about tradeoffs, and many of the issues sound
very familiar - yet I appreciate this level of transparency.

Regarding Xen's "pre-disclosure list", are messages on it PGP-encrypted
to the recipients?  Perhaps this should be made a requirement and
mentioned at http://www.xen.org/projects/security_vulnerability_process.html

It feels likely that in practice most leaks will be via means unaffected
by the use of encryption, yet using PGP encryption is worthwhile.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.