Ian Jackson
2012-Jun-12 12:12 UTC
Security vulnerability process - lessons learned discussion
During the past weeks the Xen.org security team have been involved with the preparation, predisclosure and publication of Xen Security Advisories 7, 8 and 9. During this exercise we found that there were a number of difficulties with the current security vulnerability process. These include both the need for some straightforward procedural improvements, and some more thorny questions of policy. We also wish to make the community aware of some of the key decisions we were faced with during the predisclosure period, and explain what we as the Xen.org team did and why. Some members of the predisclosure list, and some community members who appear to have heard about a problem via some kind of leaks, have also expressed the view to us that there are elements of the process that they feel could be improved. However, many users - particularly those not on the predisclosure list - will be busy right now upgrading systems to cope with these vulnerabilities. We do not expect that community members will want to divert their resources from front-line security response to longer-term process improvements, and it is important that everyone gets a chance to participate properly in policy discussions without being overly distracted. We therefore intend to postpone starting this discussion ourselves for around a week, until the 19th of June. We would respectfully request that other community members do likewise. Starting on the Tuesday 19th of June we expect to have a full and frank conversation and we look forward to engaging fully with the Xen community. The existing established consensus decisionmaking approach of the Xen project will of course be used to agree any changes to the vulnerability response process document. Thanks, Ian. (on behalf of the Xen.org security response team)