<p><em>NOTE:</em> Prior v2.2 of this policy (25 June 2014) it was
permitted to also make available the allocated CVE number. This is no
longer permitted in accordance with MITRE policy.</p>
+<h3>Information-sharing amongst predisclosure list members</h3>
+<p>Predisclosure list members are allowed to share fixes to embargoed issues,
+analysis, etc., with the security teams of other list members.
+Technical measures must be taken to prevents non-list-member
+organisations, or unauthorised staff in list-member organisations,
+from obtaining the embargoed materials.</p>
+<p>The Xen Project provides the mailing list
+<code>xen-security-issues-discuss@lists.xenproject<do<span>t></span>org</code>
+for this purpose. List members are encouraged to use it but
+may share with other list members' security teams via other
+channels.</p>
+<p>The <code>-discuss</code> list's distribution is identical to that of the primary
+predisclosure list <code>xen-security-issues</code>. Recipient organisations who
+do not wish to receive all of the traffic on -discuss should use
+recipient-side email filtering based on the provided <code>List-Id</code>.</p>
+<p>The <code>-discuss</code> list is moderated by the Xen Project Security Team.
+Announcements of private availability of fixed versions, and
+technical messages about embargoed advisories, will be approved.
+Messages dealing with policy matters will be rejected with a
+reference to the Security Team contact address and/or public Xen
+mailing lists.</p>
<h3>Predisclosure list membership application process</h3>
<p>Organisations who meet the criteria should contact
predisclosure-applications@xenproject<d<span>ot</span>>org
projects / people / larsk / security-process.git / commitdiff