From a799d6b7a8313129ad57295572ac693ee18eaf9c Mon Sep 17 00:00:00 2001
From: Lars Kurth <lars.kurth@citrix.com>
Date: Mon, 19 Mar 2018 16:03:11 +0100
Subject: [PATCH] Make Security Policy Doc ready to become a CNA

To become a CNA, we need to more clearly specifiy the scope of
security support. This change updates the document and points
to SUPPORT.md and pages generated from SUPPORT.md

Also fixed a typo in the following paragraph.

Signed-off-by: Lars Kurth <lars.kurth@citrix.com>
Acked-by: George Dunlap <george.dunlap@citrix.com>
Acked-by: Juergen Gross <jgross@suse.com>
Acked-by: Ian Jackson <ian.jackson@citrix.com>
---
 security-policy.html   |  8 +++++++-
 security-policy.pandoc | 12 ++++++++++--
 2 files changed, 17 insertions(+), 3 deletions(-)
diff --git a/security-policy.html b/security-policy.html
index 6cc44c5..50e4d4e 100644
--- a/security-policy.html
+++ b/security-policy.html
@@ -3,7 +3,12 @@
 <p>Computer systems have bugs. Currently recognised best practice for bugs with security implications is to notify significant downstream users in private; leave a reasonable interval for downstreams to respond and prepare updated software packages; then make public disclosure.</p>
 <p>We want to encourage people to report bugs they find to us. Therefore we will treat with respect the requests of discoverers, or other vendors, who report problems to us.</p>
 <h2 id="scope-of-this-process">Scope of this process</h2>
-<p>This process primarily covers the <a href="index.php?option=com_content&amp;view=article&amp;id=82:xen-hypervisor&amp;catid=80:developers&amp;Itemid=484">Xen Hypervisor Project</a>. Vulnerabilties reported against other Xen Project teams will be handled on a best effort basis by the relevant Project Lead together with the Security Response Team.</p>
+<p>This process primarily covers the <a href="index.php?option=com_content&amp;view=article&amp;id=82:xen-hypervisor&amp;catid=80:developers&amp;Itemid=484">Xen Hypervisor Project</a>. Specific information about features with security support can be found in</p>
+<ol style="list-style-type: decimal">
+    <li><a href="http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=SUPPORT.md">SUPPORT.md</a> in the releases' tar ball and its xen.git tree and on <a href="https://xenbits.xen.org/docs/unstable/support-matrix.html">web pages generated from the SUPPORT.md file</a></li>
+    <li>For releases that do not contain SUPPORT.md, this information can be found on the <a href="https://wiki.xenproject.org/wiki/Xen_Project_Release_Features">Release Feature wiki page</a></li>
+</ol>
+<p>Vulnerabilities reported against other Xen Project teams will be handled on a best effort basis by the relevant Project Lead together with the Security Response Team.</p>
 <h2 id="specific-process">Specific process</h2>
 <ol style="list-style-type: decimal">
     <li>
@@ -248,6 +253,7 @@ A role address (such as <script type="text/javascript">
 <h2 id="change-history">Change History</h2>
 <div class="box-note">
     <ul>
+        <li><strong>v3.18 April 27th 2018:</strong>Â Added reference to SUPPORT.md</li>
         <li><strong>v3.17 July 20th 2017:</strong> Added Zynstra</li>
         <li><strong>v3.16 April 21st 2017:</strong> Added HostPapa</li>
         <li><strong>v3.15 March 21st 2017:</strong> Added CloudVPS (Feb 13) and BitDefender SRL (March 21) to the predisclosure list</li>
diff --git a/security-policy.pandoc b/security-policy.pandoc
index 5783183..919a575 100644
--- a/security-policy.pandoc
+++ b/security-policy.pandoc
@@ -19,7 +19,15 @@ Scope of this process
 
 This process primarily covers the [Xen Hypervisor
 Project](index.php?option=com_content&view=article&id=82:xen-hypervisor&catid=80:developers&Itemid=484).
-Vulnerabilties reported against other Xen Project teams will be handled on a
+Specific information about features with security support can be found in
+
+1.  [SUPPORT.md](http://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=SUPPORT.md)
+    in the releases' tar ball and its xen.git tree and on
+    [web pages generated from the SUPPORT.md file](https://xenbits.xen.org/docs/unstable/support-matrix.html)
+2.  For releases that do not contain SUPPORT.md, this information can be found
+    on the [Release Feature wiki page](https://wiki.xenproject.org/wiki/Xen_Project_Release_Features)
+
+Vulnerabilities reported against other Xen Project teams will be handled on a
 best effort basis by the relevant Project Lead together with the Security
 Response Team.
 
@@ -401,7 +409,7 @@ Change History
 --------------
 
 <div class="box-note">
-
+-   **v3.18 April 27th 2018:**Â Added reference to SUPPORT.md
 -   **v3.17 July 20th 2017:**Â Added Zynstra
 -   **v3.16 April 21st 2017:**Â Added HostPapa
 -   **v3.15 March 21st 2017:** Added CloudVPS (Feb 13) and BitDefender SRL
-- 
2.39.5

