The original text says “everyone who has a product or public facing service built on Xen”.
There are several groups which qualify according to the policy: * Public hosting providers; * Large-scale organisational users of Xen; * Vendors of Xen-based systems; * Distributors of operating systems with Xen support.
So this means Public hosting providers OR Large-scale organisational users of Xen (“large scale” means an installed base of 300,000 or more Xen guests) OR ...
So yes, not anyone who “uses Xen” can be on the pre-disclosure list. Companies and FOSS projects that are on the list are those who have applied and qualify: for example Huawei is on the list because their enterprise Hybrid Cloud product uses Xen.
As an aside, the policy in place was the result of a rather lengthy community consultation, and thus is a compromise between ensuring that products and services can be patched in private vs. different angles of fairness vs. managing the risk of intentional or accidental leakage of information during pre-disclosure vs. allowing the Xen Project to verify that a company or FOSS project qualifies.
On the points of some companies being seen a security threat: each member of the list has to agree to the “policy and agree to abide by the terms for inclusion in the list, specifically the requirements to regarding confidentiality during an embargo period”. In other words, if a company or company employee is found to breach that agreement the company will be taken off the list.
The original text says “everyone who has a product or public facing service built on Xen”.
There are several groups which qualify according to the policy:
* Public hosting providers;
* Large-scale organisational users of Xen;
* Vendors of Xen-based systems;
* Distributors of operating systems with Xen support.
So this means Public hosting providers OR Large-scale organisational users of Xen (“large scale” means an installed base of 300,000 or more Xen guests) OR ...
So yes, not anyone who “uses Xen” can be on the pre-disclosure list. Companies and FOSS projects that are on the list are those who have applied and qualify: for example Huawei is on the list because their enterprise Hybrid Cloud product uses Xen.
As an aside, the policy in place was the result of a rather lengthy community consultation, and thus is a compromise between ensuring that products and services can be patched in private vs. different angles of fairness vs. managing the risk of intentional or accidental leakage of information during pre-disclosure vs. allowing the Xen Project to verify that a company or FOSS project qualifies.
On the points of some companies being seen a security threat: each member of the list has to agree to the “policy and agree to abide by the terms for inclusion in the list, specifically the requirements to regarding confidentiality during an embargo period”. In other words, if a company or company employee is found to breach that agreement the company will be taken off the list.
Interestingly, Openwall has just published a set of criteria for list membership a month ago: see seclists.org/oss-sec/2017/q2/638 & oss-security.openwall.org/...stros#membership-criteria