I am planning on promoting a new email alias for Xen users to report security issues with the product - security@xen.org. I want this alias to include community members interested in learning about security issues to the product. Please send me your email if you would like to be added to this alias. I plan to post information about this alias late next week so people have time to respond to my request. Thanks. Stephen Spector Sr. Program Manager, Xen.org 954.267.2853 stephen.spector@xen.org <mailto:stephen.spector@xen.org> _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
> > I am planning on promoting a new email alias for Xen users to report > security issues with the product - security@xen.org. I want this aliasto> include community members interested in learning about security issuesto> the product. Please send me your email if you would like to be addedto> this alias. I plan to post information about this alias late next weekso> people have time to respond to my request. >Is there a reason why this shouldn''t just be another mailing list? Or maybe I don''t understand the purpose... James _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
James Harper writes ("RE: [Xen-devel] New Email Account for
Security"):> Is there a reason why this shouldn''t just be another mailing list?
Or
> maybe I don''t understand the purpose...
The purpose is to provide a point of contact for someone who thinks
they have found a security problem (ie, a security bug) in Xen and
would like to contact someone in confidence about it. A bit like
vendor-sec but Xen-specific.
The list or alias (it doesn''t really matter how it''s
implemented)
needs to have approval on subscriptions so that the confidentiality
can be maintained but the main Xen vendors should have no problem
getting onto it. Given that, and the smallish size, running it as an
alias seems reasonable.
Just to be clear, it''s not a list for general discussion of security
in Xen or possible new security functionality or TPM development or
anything of that kind. It''s just for vulnerability reports.
Reporters who prefer immediate full disclosure, rather than
`responsible disclosure'' to a group of vendors, can continue to use
xen-devel.
Ian.
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel