We want to encourage people to report bugs they find to us. Therefore we will treat with respect the requests of discoverers, or other vendors, who report problems to us.
<h2 id="scope-of-this-process">Scope of this process</h2>
This process primarily covers the <a href="/developers/teams/xen-hypervisor/">Xen Hypervisor Project</a>. Specific information about features with security support can be found in
-<ol style="list-style-type: decimal">
+<ol style="list-style-type: decimal;">
<li><a href="http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=SUPPORT.md">SUPPORT.md</a> in the releases' tar ball and its xen.git tree and on <a href="https://xenbits.xen.org/docs/unstable/support-matrix.html">web pages generated from the SUPPORT.md file</a></li>
<li>For releases that do not contain SUPPORT.md, this information can be found on the <a href="https://wiki.xenproject.org/wiki/Xen_Project_Release_Features">Release Feature wiki page</a></li>
</ol>
Vulnerabilities reported against other Xen Project teams will be handled on a best effort basis by the relevant Project Lead together with the Security Response Team.
<h2 id="specific-process">Specific process</h2>
-<ol style="list-style-type: decimal">
+<ol style="list-style-type: decimal;">
<li>We request that anyone who discovers a vulnerability in Xen Project software reports this by email to security (at) xenproject (dot) org. (This also covers the situation where an existing published changeset is retrospectively found to be a security fix)</li>
<li>Immediately, and in parallel:
-<ol style="list-style-type: lower-alpha">
+<ol style="list-style-type: lower-alpha;">
<li>Those of us on the Hypervisor team who are aware of the problem will notify security@xenproject if disclosure wasn't made there already.</li>
<li>If the vulnerability is not already public, security@xenproject will negotiate with discoverer regarding embargo date and disclosure schedule. See below for detailed discussion.</li>
</ol>
</li>
<li>Furthermore, also in parallel:
-<ol style="list-style-type: lower-alpha">
+<ol style="list-style-type: lower-alpha;">
<li>security@xenproject will check whether the discoverer, or other people already aware of the problem, have allocated a CVE number. If not, we will acquire a CVE candidate number ourselves, and make sure that everyone who is aware of the problem is also aware of the CVE number.</li>
<li>If we think other software systems (for example, competing hypervisor systems) are likely to be affected by the same vulnerability, we will try to make those other projects aware of the problem and include them in the advisory preparation process.</li>
</ol>
(This may rely on the other project(s) having documented and responsive security contact points)
-<ol style="list-style-type: lower-alpha" start="3">
+<ol style="list-style-type: lower-alpha;" start="3">
<li>We will prepare or check patch(es) which fix the vulnerability. This would ideally include all relevant backports. Patches will be tightly targeted on fixing the specific security vulnerability in the smallest, simplest and most reliable way. Where necessary domain specific experts within the community will be brought in to help with patch preparation.</li>
<li>We will determine which systems/configurations/versions are vulnerable, and what the impact of the vulnerability is. Depending on the nature of the vulnerability this may involve sharing information about the vulnerability (in confidence, if the issue is embargoed) with hardware vendors and/or other software projects.</li>
<li>We will write a Xen advisory including information from (b)-(f)</li>
If a vulnerability is not already public, we would like to notify significant distributors and operators of Xen so that they can prepare patched software in advance. This will help minimise the degree to which there are Xen users who are vulnerable but can't get patches.
As discussed, we will negotiate with discoverers about disclosure schedule. Our usual starting point for that negotiation, unless there are reasons to diverge from this, would be:
-<ol style="list-style-type: decimal">
+<ol style="list-style-type: decimal;">
<li>One working week between notification arriving at security@xenproject and the issue of our own advisory to our predisclosure list. We will use this time to gather information and prepare our advisory, including required patches.</li>
<li>Two working weeks between issue of our advisory to our predisclosure list and publication.</li>
</ol>
Where the list member is a service provider who intends to take disruptive action such as rebooting as part of deploying a fix: the list member's communications to its users about the service disruption may mention that the disruption is to correct a security issue, and relate it to the public information about the issue (as listed above). This applies whether the deployment occurs during the embargo (with permission - see above) or is planned for after the end of the embargo.
-<em>NOTE:</em> Prior v2.2 of this policy (25 June 2014) it was permitted to also make available the allocated CVE number. This is no longer permitted in accordance with MITRE policy.<a> </a>
+<em>NOTE:</em> Prior v2.2 of this policy (25 June 2014) it was permitted to also make available the allocated CVE number. This is no longer permitted in accordance with MITRE policy.
<h3 id="information-sharing-amongst-predisclosure-list-members">Information-sharing amongst predisclosure list members</h3>
Predisclosure list members are allowed to share fixes to embargoed issues, analysis, etc., with the security teams of other list members. Technical measures must be taken to prevents non-list-member organisations, or unauthorised staff in list-member organisations, from obtaining the embargoed materials.
-The Xen Project provides the mailing list <code>xen-security-issues-discuss@lists.xenproject<dot>org</code> for this purpose. List members are encouraged to use it but may share with other list members' security teams via other channels.
+The Xen Project provides the mailing list <code>xen-security-issues-discuss@lists.xenproject<dot>org</code> for this purpose. List members are encouraged to use it but may share with other list members' security teams via other channels.
The <code>-discuss</code> list's distribution is identical to that of the primary predisclosure list <code>xen-security-issues</code>. Recipient organisations who do not wish to receive all of the traffic on -discuss should use recipient-side email filtering based on the provided <code>List-Id</code>.
The <code>-discuss</code> list is moderated by the Xen Project Security Team. Announcements of private availability of fixed versions, and technical messages about embargoed advisories, will be approved. Messages dealing with policy matters will be rejected with a reference to the Security Team contact address and/or public Xen mailing lists.
<h3 id="predisclosure-list-membership-application-process">Predisclosure list membership application process</h3>
-Organisations who meet the criteria should contact <code>predisclosure-applications@lists.xenproject
<dot>org</code> (which is a public <a href="help/mailing-list.html#predisclosure-applications">mailing list</a>) if they wish to receive pre-disclosure of advisories.
+Organisations who meet the criteria should contact <code>predisclosure-applications@lists.xenproject
<dot>org</code> (which is a public <a href="help/mailing-list.html#predisclosure-applications">mailing list</a>) if they wish to receive pre-disclosure of advisories.
You must include in the e-mail:
<ul>
Organisations should not request subscription via the mailing list web interface. Any such subscription requests will be rejected and ignored.
-A role address (such as security at example dot com) should be used for each organisation, rather than one or more individual's direct email address. This helps to ensure that changes of personnel do not end up effectively dropping an organisation from the list.
-
-
+A role address (such as security@example.com) should be used for each organisation, rather than one or more individual's direct email address. This helps to ensure that changes of personnel do not end up effectively dropping an organisation from the list.
<h3 id="organizations-on-the-pre-disclosure-list">Organizations on the pre-disclosure list:</h3>
This is a list of organisations on the pre-disclosure list (not email addresses or internal business groups).
<ul>
- <li>1 & 1 Internet AG</li>
+ <li>1 & 1 Internet AG</li>
<li>AIS, Inc</li>
<li>Alibaba Inc.</li>
<li>All Simple Internet Services</li>
<h2 id="changelog">Change History</h2>
<div class="box-note">
<ul>
+ <li><strong>v3.22 March 1st 2019:</strong> Added XCP-ng.org</li>
<li><strong>v3.21 Nov 19th 2018:</strong> Added XCP-ng.org</li>
- <li><b>v3.20 June 14th 2018:</b> Added Star Lab</li>
+ <li><strong>v3.20 June 14th 2018:</strong> Added Star Lab</li>
<li><strong>v3.19 May 9th 2018:</strong> Remove Google and Xen 3.4 stable tree maintainer from the predisclosure list</li>
<li><strong>v3.18 April 27th 2018:</strong> Added reference to SUPPORT.md</li>
- <li><strong>v3.17 July 20th 2017:</strong> Added Zynstra</li>
- <li><strong>v3.16 April 21st 2017:</strong> Added HostPapa</li>
+ <li><strong>v3.17 July 20th 2017:</strong> Added Zynstra</li>
+ <li><strong>v3.16 April 21st 2017:</strong> Added HostPapa</li>
<li><strong>v3.15 March 21st 2017:</strong> Added CloudVPS (Feb 13) and BitDefender SRL (March 21) to the predisclosure list</li>
<li><strong>v3.14 Nov 30th 2016:</strong> Added FXVM.net to the predisclosure list</li>
- <li><strong>v3.13 May 12th 2016:</strong> Added Serversaurus (Nov 17), The NetBSD Foundation (Dec 11), LLC and CloudLinux Inc. (May 12) to the predisclosure list</li>
- <li><strong>v3.12 Oct 21st 2015:</strong> Added missing years to release history. Added the following orgs to the predisclosure list: Qihoo 360 Technology Co. Ltd. (Aug 3rd), AIS Inc (Oct 20) and M.D.G. IT PTY LTD (Oct 21)</li>
- <li><strong>v3.11 July 2nd 2015:</strong> Added Huawei Technologies Co. Ltd to the predisclosure list</li>
- <li><strong>v3.10 June 9th 2015:</strong> Added 3rd paragraph to section "4. Advisory pre-release" as per the following <a href="http://lists.xenproject.org/archives/html/xen-devel/2015-06/msg01202.html">vote</a> to amend the process. Added Sitehost to the predisclosure list</li>
- <li><strong>v3.9 June 2nd 2015:</strong> Added Jump Networks Ltd to predisclosure list and fixed rendering/numbering issue in html leading to duplicate numbering</li>
- <li><strong>v3.8 May 13th 2015:</strong> Removed Intel after list membership review on the basis of 3.d) of this process</li>
+ <li><strong>v3.13 May 12th 2016:</strong> Added Serversaurus (Nov 17), The NetBSD Foundation (Dec 11), LLC and CloudLinux Inc. (May 12) to the predisclosure list</li>
+ <li><strong>v3.12 Oct 21st 2015:</strong> Added missing years to release history. Added the following orgs to the predisclosure list: Qihoo 360 Technology Co. Ltd. (Aug 3rd), AIS Inc (Oct 20) and M.D.G. IT PTY LTD (Oct 21)</li>
+ <li><strong>v3.11 July 2nd 2015:</strong> Added Huawei Technologies Co. Ltd to the predisclosure list</li>
+ <li><strong>v3.10 June 9th 2015:</strong> Added 3rd paragraph to section "4. Advisory pre-release" as per the following <a href="http://lists.xenproject.org/archives/html/xen-devel/2015-06/msg01202.html">vote</a> to amend the process. Added Sitehost to the predisclosure list</li>
+ <li><strong>v3.9 June 2nd 2015:</strong> Added Jump Networks Ltd to predisclosure list and fixed rendering/numbering issue in html leading to duplicate numbering</li>
+ <li><strong>v3.8 May 13th 2015:</strong> Removed Intel after list membership review on the basis of 3.d) of this process</li>
<li><strong>v3.7 May 12th 2015:</strong> "Information-sharing amongst predisclosure list members" is now live; removed statements that this is not so</li>
- <li><strong>v3.6 Apr 15th 2015:</strong> Added Vollmar.net GmbH to the predisclosure list</li>
- <li><strong>v3.5 Mar 19th 2015:</strong> Added Bromium Inc to the predisclosure list</li>
- <li><strong>v3.4 Mar 13th 2015:</strong> Added Wavecon GmbH to the predisclosure list</li>
+ <li><strong>v3.6 Apr 15th 2015:</strong> Added Vollmar.net GmbH to the predisclosure list</li>
+ <li><strong>v3.5 Mar 19th 2015:</strong> Added Bromium Inc to the predisclosure list</li>
+ <li><strong>v3.4 Mar 13th 2015:</strong> Added Wavecon GmbH to the predisclosure list</li>
<li><strong>v3.3 Mar 10th 2015:</strong> Added Openminds BVBA, Public Access Networks Corp. (Panix.com), BetaForce Networks / LLC DBA vNucleus and Gentoo Linux to the predisclosure list</li>
- <li><strong>v3.2 Mar 4th 2015:</strong> Added Google, Gossamer Threads Inc. and Locaweb to the predisclosure list</li>
+ <li><strong>v3.2 Mar 4th 2015:</strong> Added Google, Gossamer Threads Inc. and Locaweb to the predisclosure list</li>
<li><strong>v3.1 Mar 3rd 2015:</strong> Added ChunkHost and Rimuhosting Ltd to the predisclosure list</li>
- <li><strong>v3.0 Feb </strong>11th <strong>2015 (published March </strong>2nd <strong>2015):</strong> New predisclosure list application process and information-sharing and -handling rules; and, minor clarifications.</li>
- <li><strong>v2.9 Dec 12th 2014:</strong> Added The Cloud Simplified (Xperience Group)</li>
+ <li><strong>v3.0 Feb </strong>11th <strong>2015 (published March </strong>2nd <strong>2015):</strong> New predisclosure list application process and information-sharing and -handling rules; and, minor clarifications.</li>
+ <li><strong>v2.9 Dec 12th 2014:</strong> Added The Cloud Simplified (Xperience Group)</li>
<li><strong>v2.8 Nov 3rd 2014:</strong> Added Host Europe Group (HEG.com)</li>
<li><strong>v2.7 Oct 21st 2014:</strong> Added the following vendors to the pre-disclosure list: OnePoundWebHosting Ltd, File Sanctuary, iWeb Technologies Inc., Memset</li>
<li><strong>v2.6 Oct 1st 2014:</strong> Added the following vendors to the pre-disclosure list: eApps Hosting, Namecheap Inc, Gaiacom, LC</li>
- <li><strong>v2.5 Sept 30th 2014:</strong> Added the following vendors to the pre-disclosure list: 1 & 1 Internet AG, Alibaba Inc., All Simple Internet Services, BitFolk Ltd, drServer.net, Inception Hosting Ltd, LiquidWeb.com, RailsMachine.com, SecureAX Pte Ltd, Steadfast.net, Tranquil Hosting, Inc, Zynga and ZZ Servers</li>
+ <li><strong>v2.5 Sept 30th 2014:</strong> Added the following vendors to the pre-disclosure list: 1 & 1 Internet AG, Alibaba Inc., All Simple Internet Services, BitFolk Ltd, drServer.net, Inception Hosting Ltd, LiquidWeb.com, RailsMachine.com, SecureAX Pte Ltd, Steadfast.net, Tranquil Hosting, Inc, Zynga and ZZ Servers</li>
<li><strong>v2.4 Sept 29th 2014:</strong> Added the following vendors to the pre-disclosure list: mammoth.net.au, NFOServers.com, LFCHosting.com, OrionVM.com, SoftLayer and SSDnodes.com</li>
<li><strong>v2.3 Sept 26th 2014:</strong> Added the following vendors to the pre-disclosure list: Host Virtual Inc., Gandi.net, GoGrid.com, OnApp.com / SolusVM.com and prgmr.com</li>
<li><strong>v2.2 Jun 2014:</strong> In accordance with MITRE's guidelines it is no longer permissible to share CVE numbers of embargoed issues</li>
projects / people / larsk / governance.git / commitdiff