Security disclosure process discussion update

After concluding our poll about changes to the security discussion, we determined that “Pre-disclosure to software vendors and a wide set of users” was probably the best fit for the community. A set of concrete changes to the policy have now been discussed on xen-devel (here and here), and we seem to have converged on something everyone finds acceptable.
We are now presenting these changes for public review. The purpose of this review process is to allow feedback on the text which will be voted on, in accordance to the Xen.org governance procedure. Our plan is to leave this up for review until the third week in January. Any substantial updates will be mentioned on the blog and will extend the review time.
All feedback and discussion should happen in public on the xen-devel mailing list. If you have any suggestions for how to improve the proposal, please e-mail the list, and cc George Dunlap (george dot dunlap at citrix.com).
Read on for a summary of the updates, as well as links to the full text of the original and proposed new policies.

Summary of the updates

As discussed on the xen-devel mailing list, expand eligibility of the pre-disclosure list to include any public hosting provider, as well as software project:

  • Change “Large hosting providers” to “Public hosting providers”
  • Remove “widely-deployed” from vendors and distributors
  • Add rules of thumb for what constitutes “genuine”
  • Add an itemized list of information to be included in the application, to make expectations clear and (hopefully) applications more streamlined.

The first will allow hosting providers of any size to join.
The second will allow software projects and vendors of any size to join.
The third and fourth will help describe exactly what criteria will be used to determine eligibility for 1 and 2.
Additionally, this proposal adds the following requirements:

  • Applicants and current members must use an e-mail alias, not an
    individual’s e-mail
  • Applicants and current members must submit a statement saying that
    they have read, understand, and will abide by this process document.

The new policy in its entirety can be found here:
http://wiki.xen.org/wiki/Security_vulnerability_process_draft
For comparison, the current policy can be found here:
http://www.xen.org/projects/security_vulnerability_process.html

Read more

Xen Project Announces Performance and Security Advancements with Release of 4.19
08/05/2024

New release marks significant enhancements in performance, security, and versatility across various architectures.  SAN FRANCISCO – July 31st, 2024 – The Xen Project, an open source project under the Linux Foundation, is proud to announce the release of Xen Project 4.19. This release marks a significant milestone in enhancing performance, security,

Upcoming Closure of Xen Project Colo Facility
07/10/2024

Dear Xen Community, We regret to inform you that the Xen Project is currently experiencing unexpected changes due to the sudden shutdown of our colocated (colo) data center facility by Synoptek. This incident is beyond our control and will impact the continuity of OSSTest (the gating Xen Project CI loop)

Xen Summit Talks Now Live on YouTube!
06/18/2024

Hello Xen Community! We have some thrilling news to share with you all. The highly anticipated talks from this year’s Xen Summit are now live on YouTube! Whether you attended the summit in person or couldn’t make it this time, you can now access all the insightful presentations

Get ready for Xen Summit 2024!
05/24/2024

With less than 2 weeks to go, are you ready? The Xen Project is gearing up for a summit full of discussions, collaboration and innovation. If you haven’t already done so – get involved by submitting a design session topic. Don’t worry if you can’t attend in person,