“Issuing advisories has a cost,” the project’s George Dunlap writes. “It costs the security team significant amounts of time to craft and send the advisories; it costs many of our downstreams time to apply, build, and test patches; and it costs many of our users time to decide whether to do an update, and if so, to test and deploy it. Given this, the Xen Project Security Team wants to clarify when they should issue an advisory or not: the Xen Security Response Process only mentions ‘vulnerabilities’, without specifying what constitutes a vulnerability.”
View full story
ORIGINAL SOURCE: The Register