From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Fri, 16 Jan 2015 19:51:21 +0000 (+0000)
Subject: Clarify what announcements may be made by to service users
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=084437be4ea3e4783124dadd7101bff2c9815d48;p=people%2Flarsk%2Fsecurity-process.git

Clarify what announcements may be made by to service users

Service provider list members should not be prevented from being
reasonably honest with their users.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
---

diff --git a/security_vulnerability_process.html b/security_vulnerability_process.html
index 7412652..3b9c1ba 100644
--- a/security_vulnerability_process.html
+++ b/security_vulnerability_process.html
@@ -222,6 +222,14 @@ restrictions only insofar as it is necessary to prevent the exposure
 of technicalities (for example, differences in behaviour) which
 present a significant risk of rediscovery of the vulnerability.  Such
 situations are expected to be rare.</p>
+<p>Where the list member is a service provider who intends to take
+disruptive action such as rebooting as part of deploying a fix: the
+list member's communications to its users about the service disruption
+may mention that the disruption is to correct a security issue, and
+relate it to the public information about the issue (as listed above).
+This applies whether the deployment occurs during the embargo (with
+permission - see above) or is planned for after the end of the
+embargo.</p>
 <p><em>NOTE:</em> Prior v2.2 of this policy (25 June 2014) it was
 permitted to also make available the allocated CVE number. This is no
 longer permitted in accordance with MITRE policy.</p>