[bitfolk] Vulnerability scanning and timescales for action

Top Page
Author: Andy Smith
Date:  
To: announce
Subject: [bitfolk] Vulnerability scanning and timescales for action

Reply to this message
gpg: Signature made Sun Dec 18 22:37:28 2016 UTC
gpg: using DSA key 2099B64CBF15490B
gpg: Good signature from "Andy Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andrew James Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andy Smith (UKUUG) <andy.smith@ukuug.org>" [unknown]
gpg: aka "Andy Smith (BitFolk Ltd.) <andy@bitfolk.com>" [unknown]
gpg: aka "Andy Smith (Linux User Groups UK) <andy@lug.org.uk>" [unknown]
gpg: aka "Andy Smith (Cernio Technology Cooperative) <andy.smith@cernio.com>" [unknown]
Hi,

There was a consultation earlier regarding what to do about
customers who do not react to the alerts we send about serious
security issues we have found during regular scans of our IP space:

    http://lists.bitfolk.com/lurker/message/20161215.152008.2ee18732.en.html


Dealing with that was becoming quite a time sink and I was also
getting concerned about potentially inconsistent handling of these
issues when not working to any kind of documented process.

The consensus seemed to prefer the idea of network suspension after
21 days, so this has now been documented along with a bit more
information about the things we (or partners) scan for:

    https://tools.bitfolk.com/wiki/Vulnerability_scanning


This will now allow for some more automation.

I've also updated the Terms and Conditions page:

    https://bitfolk.com/policy/terms.html


with a new paragraph that points to that page:

    BitFolk and its partners regularly scan BitFolk's IP space for
    well-known vulnerabilities and misconfigurations, some of which
    are serious enough that BitFolk will insist that The Customer
    fixes them within a reasonable timescale.


Although the paragraph above that one is the usual blanket "reserve
the right to suspend service", so perhaps technically not necessary
to list particular things, it does however seem like useful info to
have there.

Normally we try to have changes to T's&C's not take effect for 30 days but I
don't see this as a change, since we have always used the "reserve
the right to suspend service" clause if necessary with things like
this. So if it is unfortunately necessary to suspend someone's
network we won't be waiting until 30+21 days to do it. And happily
there currently isn't anyone who's been receiving alerts for
anything like that long.

If you have any questions or feel the article (or process) could be
improved please let us know.

Cheers,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

"The electric guitar - like making love - is much improved by a little
feedback, completely ruined by too much." — The League Against Tedium
_______________________________________________
announce mailing list
announce@???
https://lists.bitfolk.com/mailman/listinfo/announce