Brussels / 30 & 31 January 2016


Xen Project Security Response War Stories

War stories from the XenProject security response process

The open-source software plays a vital role in our worldwide computing infrastructure. When vulnerabilities are discovered in our software, our response can have a major impact on how much risk our end users are exposed to.

The XenProject's security response process has been hardened and tested over years of experience, and has weathered several storms. This talk will share some war stories from our security response process that explain how we got to where it is today, so that you can learn the easy way, from our experience, rather than the hard way, from your own experience.

This talk will briefly cover the history of response processes -- from non-disclosure to full disclosure to coordinated or "responsible" disclosure, and pre-disclosure.

We'll then cover two major events -- XSA-7, the Intel SYSRET vulnerability; and XSA-108 -- that highlighted some weaknesses in our process, and how we tweaked the process in response.

Finally, we'll cover how we handled the a very controversial community discussion after XSA-7 in a way which, we hope, gave everyone in the community an opportunity to have their voice heard and counted, in spite of the complete lack of consensus.


George Dunlap