Not a policy breach
The article and the XSA state: “The fix for this bug was publicly posted on xen-devel, before it was appreciated that there was a security problem.”
If you look at http://www.xenproject.org/security-policy.html, section 2b, you will see it says "If the vulnerability is not already public, security@xenproject will negotiate with discoverer regarding embargo date and disclosure schedule. See below for detailed discussion." ... In this case, an issue was posted on the list without realising it may be a security issue. Later it was discovered that the issue constitutes a security issue. The project did in fact not breach its own policy and as such the article is wrong.
This happened once in the entire time the project had the vulnerability process, which is quite a good record IMHO.
Biting the hand that feeds IT
