The Linux-created Xen Project would like to provide fewer reports on vulnerabilities to its microkernel hypervisor. The Project is currently seeking input in a discussion about redefining the term ‘vulnerability’ to limit the number of bugs for which sweeping advisories are issued.
The proposed changes would set about redefining the types of vulnerabilities for which advisories are issued. Under the new guidelines, information leaks will be considered security issues only if they contain sensitive guest or user data. Also, if no operating systems are vulnerable to a bug, no advisory will be issued.
The argument put forth on the Xen project blog centers on the cost of publishing advisories. The security team must create and disseminate the notifications, partners must build and test patches, and users must evaluate, test and deploy updates. All of this effort comes at a cost to the people and organizations associated with each vulnerability notification.
Limiting the number of advisories issued to those that are only necessary for clients to acknowledge and fix is the proposal for containing those costs and prioritizing, on behalf of consumers, the relevant patches that directly affect data and operating system security. The Xen Project blog comments, “all security issues are bugs, but not all bugs are security issues.”
Under the new definitions, only a few source/context pairs will be considered vulnerabilities for the purposes of creating and issuing an advisory. These include incidents where the source is the guest userspace and the target is the hypervisor, or the target is another guest.
Privilege escalation, denial of service and information leakage will be considered vulnerabilities in many cases, unless (in the case of information leakage) the target is an unprivileged guest.
The new definitions proposed by the Xen Project will certainly reduce the number of advisories that are created and published to users. In 2016, 34 advisories were issued by the Xen Project, with the bulk of those in the fourth quarter alone.
The Xen Project is seeking input from developers, who can post comments and concerns to a discussion thread. Participants may contribute to the discussion through the end of this month.