As discussed on the xen-devel mailing list, expand eligibility of the
pre-disclosure list to include any public hosting provider, as well
as software project:
* Change "Large hosting providers" to "Public hosting providers"
* Remove "widely-deployed" from vendors and distributors
* Add rules of thumb for what constitutes "genuine"
* Add an itemized list of information to be included in the application,
to make expectations clear and (hopefully) applications more streamlined.
The first will allow hosting providers of any size to join.
The second will allow software projects and vendors of any size to join.
The third and fourth will help describe exactly what criteria will be used to
determine eligibility for 1 and 2.
Additionally, this proposal adds the following requirements:
* Applicants and current members must use an e-mail alias, not an individual's
e-mail
* Applicants and current members must submit a statement saying that they have
read, understand, and will abide by this process document.
v4:
- Make it clear that the organization is committing to respecting the
secrecy, as well as committing to the secrecy of all members who are exposed
to the information during the pre-disclosure period.
v3:
- Organizations already on the list also must conform to requirements for
a security alias and a statement saying they're read and will abide by
the policy.
v2:
- Include "genuine" software providers, and a rule of thumb for "genuine"
- Include evidence for software providers
- Allow "a key signed with a key in the PGP strong set" as evidence
- Require applicants to state they have read and understand policy
and will abide by it
- Minor suggested clarifications
- Added version message at bottom
- Made security aliases a requirement
Signed-off-by: George Dunlap <george.dunlap@eu.citrix.com>
projects / people / larsk / security-process.git / commit