Hopefully it's not a lot of additional work, but the VMT would be thrilled if projects would also keep Public Security vulnerability reports in mind and try to wrap up any they can. For example, the Neutron project on Launchpad has 9 currently unresolved, some opened more than 3 years ago: <URL: https://bugs.launchpad.net/neutron/+bugs?field.searchtext=&orderby=-importance&search=Search&field.status%3Alist=NEW&field.status%3Alist=CONFIRMED&field.status%3Alist=TRIAGED&field.status%3Alist=INPROGRESS&field.status%3Alist=INCOMPLETE_WITH_RESPONSE&field.status%3Alist=INCOMPLETE_WITHOUT_RESPONSE&field.information_type%3Alist=PUBLICSECURITY > I'm willing to bet at least a few are either fixed now, related to deprecated/removed functionality, or simply unreproducible. And if they're still real bugs but don't represent an actual exploitable vulnerability, that's good to know too (in which case we'd just switch them to regular Public bugs so the VMT no longer needs to keep track of those). -- Jeremy Stanley -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 963 bytes Desc: not available URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200901/475e9644/attachment.sig>