Vulnerability embargo dates - add your public holidays

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Vulnerability embargo dates - add your public holidays

Ian Jackson-2
When the Xen Project Security Team talks to discoverers about choice
of release dates for security vulnerabilities, we generally try to
avoid known public holidays (subject to other constraints such as the
discoverer's requirements, the Xen Project policy, and so on).

We wish to make this arrangement a bit more formal, and in particular
to provide discoverers (who ultimately decide disclosure dates) and
the Security Team (who often give advice) with good information to
support their decisions.

To this end we have created a wiki page where interested community
members can document public holidays which would affect their ability
to respond to security issues.

Please see:
  https://wiki.xenproject.org/wiki/HolidayCalendar

If you would like your circumstances taken into account, please add to
the data for 2017 on that page.

Note that if you do not already have write access to the wiki, you'll
have to request it.  Sorry for the inconvenience, and please see:
  https://wiki.xenproject.org/wiki/Main_Page

Also, as the HolidayCalendar wiki page says:

  Note that disclosure schedules are determined by the discoverers of
  vulnerabilities who do not need to follow the guidelines in the Xen
  Project policy.  Where discoverers ask the Xen Project Security Team
  for advice, or choose to follow the policy, the holiday information
  here is advisory only.  Because the policy requires us to consider
  other factors too, we cannot guarantee to avoid holidays.

Ian.

_______________________________________________
Xen-announce mailing list
[hidden email]
https://lists.xen.org/xen-announce
Reply | Threaded
Open this post in threaded view
|

Reminder: Vulnerability embargo dates - add your public holidays

Ian Jackson-2
In mid-May I wrote:

> When the Xen Project Security Team talks to discoverers about choice
> of release dates for security vulnerabilities, we generally try to
> avoid known public holidays (subject to other constraints such as the
> discoverer's requirements, the Xen Project policy, and so on).
>
> We wish to make this arrangement a bit more formal, and in particular
> to provide discoverers (who ultimately decide disclosure dates) and
> the Security Team (who often give advice) with good information to
> support their decisions.
>
> To this end we have created a wiki page where interested community
> members can document public holidays which would affect their ability
> to respond to security issues.
>
> Please see:
>   https://wiki.xenproject.org/wiki/HolidayCalendar
>
> If you would like your circumstances taken into account, please add to
> the data for 2017 on that page.
>
> Note that if you do not already have write access to the wiki, you'll
> have to request it.  Sorry for the inconvenience, and please see:
>   https://wiki.xenproject.org/wiki/Main_Page
>
> Also, as the HolidayCalendar wiki page says:
>
>   Note that disclosure schedules are determined by the discoverers of
>   vulnerabilities who do not need to follow the guidelines in the Xen
>   Project policy.  Where discoverers ask the Xen Project Security Team
>   for advice, or choose to follow the policy, the holiday information
>   here is advisory only.  Because the policy requires us to consider
>   other factors too, we cannot guarantee to avoid holidays.

I see that US, UK and Canadian holidays have been added.  Members of
the Xen Project community in other places ought to consider adding
their own holiday dates.

Ian.

_______________________________________________
Xen-announce mailing list
[hidden email]
https://lists.xen.org/xen-announce