Clarify what info predisclosure list members may share during an

embargo

See <20448.49637.38489.246434@mariner.uk.xensource.com>, section
  "7. Public communications during the embargo period"

diff --git a/security_vulnerability_process.html b/security_vulnerability_process.html
index d1a66299cf556e212e3734d9c1f29bf7815c07a1..eff108a5570312ccd4a7d7fc12c480eda861149c 100644 (file)
--- a/security_vulnerability_process.html
+++ b/security_vulnerability_process.html
@@ -195,9 +195,17 @@ if(ns4)_d.write("<scr"+"ipt type=text/javascript src=/globals/mmenuns4.js><\/scr
     should not make available, even to their own customers and partners:<ul>
        <li>the Xen.org advisory</li>
        <li>their own advisory</li>
+       <li>the impact, scope, set of vulnerable systems or the nature
+       of the vulnerability</li>
        <li>revision control commits which are a fix for the problem</li>
        <li>patched software (even in binary form) without prior consultation with security@xen and/or the discoverer.</li>
     </ul></p>    
+    <p>List members are allowed to make available to their users only the following:<ul>
+       <li>The existance of an issue</li>
+       <li>The assigned XSA and CVE numbers</li>
+       <li>The planned disclosure date</li>
+    </ul></p>
+
     <p>Organisations who meet the criteria should contact security@xen if they wish to receive pre-disclosure of advisories.</p>    
     <p>The pre-disclosure list will also receive copies of public advisories when they are first issued or updated.</p>