Security disclosure process discussion update

George Dunlap

Dec 17, 2012 — 1 min read

After concluding our poll about changes to the security discussion, we determined that “Pre-disclosure to software vendors and a wide set of users” was probably the best fit for the community. A set of concrete changes to the policy have now been discussed on xen-devel (here and here), and we seem to have converged on something everyone finds acceptable.
We are now presenting these changes for public review. The purpose of this review process is to allow feedback on the text which will be voted on, in accordance to the Xen.org governance procedure. Our plan is to leave this up for review until the third week in January. Any substantial updates will be mentioned on the blog and will extend the review time.
All feedback and discussion should happen in public on the xen-devel mailing list. If you have any suggestions for how to improve the proposal, please e-mail the list, and cc George Dunlap (george dot dunlap at citrix.com).
Read on for a summary of the updates, as well as links to the full text of the original and proposed new policies.

Summary of the updates

As discussed on the xen-devel mailing list, expand eligibility of the pre-disclosure list to include any public hosting provider, as well as software project:

Change “Large hosting providers” to “Public hosting providers”
Remove “widely-deployed” from vendors and distributors
Add rules of thumb for what constitutes “genuine”
Add an itemized list of information to be included in the application, to make expectations clear and (hopefully) applications more streamlined.

The first will allow hosting providers of any size to join.
The second will allow software projects and vendors of any size to join.
The third and fourth will help describe exactly what criteria will be used to determine eligibility for 1 and 2.
Additionally, this proposal adds the following requirements:

Applicants and current members must use an e-mail alias, not an
individual’s e-mail
Applicants and current members must submit a statement saying that
they have read, understand, and will abide by this process document.

The new policy in its entirety can be found here:
http://wiki.xen.org/wiki/Security_vulnerability_process_draft
For comparison, the current policy can be found here:
http://www.xen.org/projects/security_vulnerability_process.html

Let’s Grow Xen Together!

03/18/2025

Xen is open, secure, and built for the future. As the new Community Manager, I’m focused on growing the Xen community, welcoming new contributors, and ensuring a thriving ecosystem. Let’s build the future of virtualization together!

Xen Project 4.20: A Step Forward in Open Source Virtualization

03/11/2025

The Xen Project has released Xen 4.20 🎉! This release introduces a range of enhancements that further solidify its position as the premier open-source hypervisor. It delivers important security updates, improved performance, and broader hardware support. Xen has doubled down as the best choice for cloud providers, enterprise users, and

Xen Project Winter Meetup

02/13/2025

We just wrapped up the Xen Winter Meetup 2025. It was an amazing opportunity to push Xen forward in a way that can only happen when people get together in person. Organized by Vates, we hosted it at the University of Grenoble IMAG building, a great spot for cutting-edge research

Welcome Honda to the Xen Project Board

12/09/2024

We're excited to announce our newest Advisory Board Member Honda, to Xen Project. Since its foundation, Honda has been committed to "creating a society that is useful to people" by utilizing its technologies and ideas. Honda also focuses on environmental responsiveness and traffic safety, and continue

Summary of the updates

Read more