[openstack-dev] [security] [telemetry] How to handle security bugs

Ian Cordasco sigmavirus24 at gmail.com
Tue Jan 17 13:04:22 UTC 2017


On Tue, Jan 17, 2017 at 6:26 AM, Julien Danjou <julien at danjou.info> wrote:
> Hi,
>
> I've asked on #openstack-security without success, so let me try here
> insteead:
>
> We, Telemetry, have a security bug and we're not managed by VMT, any
> hint as how to handle our bug? Or how to get covered by VMT? 😊

So, in terms of process I'd advise you read
https://security.openstack.org/vmt-process.html because it describes
how the VMT process works.

I believe http://docs.openstack.org/project-team-guide/vulnerability-management.html
described that you need to be "security-supported" which involves
joining the list of projects with the "vulnerability:managed" tag
(https://governance.openstack.org/tc/reference/tags/vulnerability_managed.html).

https://governance.openstack.org/tc/reference/tags/vulnerability_managed.html#requirements
describes the requirements to attain that tag.

Cheers,
-- 
Ian Cordasco



More information about the OpenStack-dev mailing list