Open Stack

On 2013-12-11 18:28:14 +0100 (+0100), Monty Taylor wrote:
> On 12/11/2013 03:51 PM, Russell Bryant wrote:
> > On 12/10/2013 05:57 PM, Paul McMillan wrote:
> > [...]
> > > If you don't have anyone else who is a web security specialist
> > > on the core team, I'd like to stay. Since I'm also a member of
> > > the Django security team, I offer a significant chunk of
> > > knowledge about how the underlying security protections are
> > > intended work.
> > 
> > Security reviews aren't done on gerrit, though.  They are
> > handled in launchpad bugs.  It seems you could still contribute
> > in this way without being on the horizon-core team responsible
> > for reviewing normal changes in gerrit.
> > [...]
> 
> And as a follow up - I betcha the vulnerability-management team
> would LOVE to have you!

In particular, there are plenty of open public vulnerabilities
throughout OpenStack in various states of being addressed which you
can pitch in on even with fairly limited levels of commitment.
Anything which needs an advisory, or which we think might need one
but are not yet sure, is listed at https://bugs.launchpad.net/ossa
(with privately-reported and still embargoed issues being the
exception). Whatever you see there which piques your interest,
whether it needs testing/confirmation, a patch or even just an
expert opinion on exploitability/risk would be a welcome
contribution.

Any help we get dealing with already public vulnerabilities frees up
more of our time to focus on embargoed items while still keeping the
core group small (minimizing risk of premature disclosure). More
info at...

https://wiki.openstack.org/wiki/Vulnerability_Management

</end_public_service_announcement>

-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131212/4e571735/attachment.pgp>