From: Ian Campbell <ian.campbell@citrix.com>
Date: Thu, 16 Aug 2012 14:04:43 +0000 (+0100)
Subject: Clarify what info predisclosure list members may share during an
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=e19269948c17b220b74350568e3c577305a8f60b;p=people%2Flarsk%2Fsecurity-process.git

Clarify what info predisclosure list members may share during an
embargo

See <20448.49637.38489.246434@mariner.uk.xensource.com>, section
  "7. Public communications during the embargo period"
---

diff --git a/security_vulnerability_process.html b/security_vulnerability_process.html
index d1a6629..eff108a 100644
--- a/security_vulnerability_process.html
+++ b/security_vulnerability_process.html
@@ -195,9 +195,17 @@ if(ns4)_d.write("<scr"+"ipt type=text/javascript src=/globals/mmenuns4.js><\/scr
     should not make available, even to their own customers and partners:<ul>
        <li>the Xen.org advisory</li>
        <li>their own advisory</li>
+       <li>the impact, scope, set of vulnerable systems or the nature
+       of the vulnerability</li>
        <li>revision control commits which are a fix for the problem</li>
        <li>patched software (even in binary form) without prior consultation with security@xen and/or the discoverer.</li>
     </ul></p>    
+    <p>List members are allowed to make available to their users only the following:<ul>
+       <li>The existance of an issue</li>
+       <li>The assigned XSA and CVE numbers</li>
+       <li>The planned disclosure date</li>
+    </ul></p>
+
     <p>Organisations who meet the criteria should contact security@xen if they wish to receive pre-disclosure of advisories.</p>    
     <p>The pre-disclosure list will also receive copies of public advisories when they are first issued or updated.</p>