[openstack-dev] [Nova] Security vulnerability contacts

Jeremy Stanley fungi at yuggoth.org
Mon Nov 18 20:20:40 UTC 2013

On 2013-11-18 11:27:28 -0800 (-0800), Sriram Subramanian wrote:
> Thanks for the initiative. We at the OpenStack Security Group are
> doing large part of these tasks now and are looking for more help
> (particularly around reviews from people that are intimate to the
> project internals). Here are some pointers on how to get involved.
> You probably are inviting more volunteers for OSSG, I am just
> trying to make it clearer. If not, we need to work to make sure
> the efforts are aligned and not duplicated.

As I understood his initial E-mail, he's looking for experienced
Nova core reviewers with some background in security so that the
vulnerability management team can use them as an initial point of
contact to help develop, backport or review proposed fixes for
embargoed security vulnerabilities prior to their announcement.

Note that this is not something we're (VMT hat on) only seeking from
Nova. All the official OpenStack projects which receive security
support are strongly encouraged to groom core security
developers/reviewers so that we can have some redundancy and
additional bandwidth on those sorts of interactions (rather than now
where we usually just contact the PTL and hope he/she is around). As
discussed at the summit, we're going to work on putting together a
more detailed prerequisites list for determining whether a given
project is under security support.

Jeremy Stanley

More information about the OpenStack-dev mailing list