Xen Project Security Policy Improvements: Get Involved

The recent XSA-108 vulnerability resulted in a lot of media coverage, which ended up stress-testing some of our policy and security related processes. During the embargo period of XSA-108, the Xen Project Security Team was faced with some difficult questions of policy interpretation, as well as practical issues related to pre-disclosure list membership applications.
To ensure more clarity moving forward, the Xen Project Security Team started a community consultation to improve and better define the project’s Security Vulnerability Response Process. In particular we are seeking to clarify the following elements of the policy, which surfaced during the embargo period of XSA-108:

  • Sharing of information amongst pre-disclosure list members during an embargo period
  • Deployment of patches on public systems of fixed versions of the Xen Project Hypervisor during the embargo period
  • Service announcements to non-list-member users during an embargo period
  • Clarifying criteria related to pre-disclosure list membership and making it easier to verify them
  • Processing applications of pre-disclosure list membership during an embargo period

For more background and information read the e-mail thread on xen-devel@ called Security policy ambiguities – XSA-108 process post-mortem (also see here to see the entire conversation thread in one place).
If you use Xen Project Software in any way, we encourage you to voice your thoughts to help formulate and update our security policy to ensure it meets the needs of our entire community. To take part in the discussion please send mail to xen-devel@lists.xenproject.org. If you are a member of the list just reply to the relevant thread. If you are not a member of the mailing list and plan to respond to an e-mail that has already been sent you have two easy options:

  • You can reply to the message via our issue tracker using the Reply to this message link at the top of the message; or
  • Retrieve the mbox from the issue issue tracker, load the thread into your mail client and just reply.

Even if you chose not to subscribe to xen-devel@ – which you don’t have to participate – you may want to occasionally check the discussion thread activity on this thread, to ensure you are not missing any activity.
Going forward, we will collate community input and propose a revised version of the policy, which will be formally approved in line with Xen Project Governance. We have not set a specific deadline for the discussion, but aim to issue a revised policy within 4 weeks.

Read more

Welcome Honda to the Xen Project Board
12/09/2024

We're excited to announce our newest Advisory Board Member Honda, to Xen Project. Since its foundation, Honda has been committed to "creating a society that is useful to people" by utilizing its technologies and ideas. Honda also focuses on environmental responsiveness and traffic safety, and continue

Say hello to our new website
12/05/2024

Hello Xen Community, You may have noticed something different... We've refreshed our existing website! Why did we do this? Well, all these new changes are part of an ongoing effort to increase our visibility and make it easier to find information on pages. We know how important it

Xen Project Announces Performance and Security Advancements with Release of 4.19
08/05/2024

New release marks significant enhancements in performance, security, and versatility across various architectures.  SAN FRANCISCO – July 31st, 2024 – The Xen Project, an open source project under the Linux Foundation, is proud to announce the release of Xen Project 4.19. This release marks a significant milestone in enhancing performance, security,

Upcoming Closure of Xen Project Colo Facility
07/10/2024

Dear Xen Community, We regret to inform you that the Xen Project is currently experiencing unexpected changes due to the sudden shutdown of our colocated (colo) data center facility by Synoptek. This incident is beyond our control and will impact the continuity of OSSTest (the gating Xen Project CI loop)