<div dir="ltr"><div id="gmail-magicdomid22" class="gmail-ace-line" style="margin:0px;padding:0px">The Vulnerability Management Team (VMT) has recently updated the vulnerability:managed policy[0] here, the key points are:<br></div><div id="gmail-magicdomid22" class="gmail-ace-line" style="margin:0px;padding:0px"><br></div><div id="gmail-magicdomid24" class="gmail-ace-line" style="margin:0px;padding:0px"><ul class="gmail-list-bullet1" style="margin:0px 0px 0px 1.5em;padding:0px"><li style="margin:0px;padding:0px"><span class="gmail-" style="margin:0px;padding:1px 0px">Softened our #5 policy from a hard requirement to a recommendation</span></li></ul></div><div id="gmail-magicdomid25" class="gmail-ace-line" style="margin:0px;padding:0px"><ul class="gmail-list-bullet1" style="margin:0px 0px 0px 1.5em;padding:0px"><li style="margin:0px;padding:0px"><span class="gmail-" style="margin:0px;padding:1px 0px">Clarified that the VMT does not track external software components</span></li></ul></div><div id="gmail-magicdomid26" class="gmail-ace-line" style="margin:0px;padding:0px"><ul class="gmail-list-bullet1" style="margin:0px 0px 0px 1.5em;padding:0px"><li style="margin:0px;padding:0px"><span class="gmail-" style="margin:0px;padding:1px 0px">Defined that a project must tag releases to qualify for VMT oversight, and that the VMT only deals with vulnerabilities in real releases (not pre-releases, release candidates, milestones...)</span></li></ul></div><div id="gmail-magicdomid27" class="gmail-ace-line" style="margin:0px;padding:0px"><ul class="gmail-list-bullet1" style="margin:0px 0px 0px 1.5em;padding:0px"><li style="margin:0px;padding:0px"><span class="gmail-" style="margin:0px;padding:1px 0px">Private embargo's shall not last more than 90 days, except under unusual circumstances</span></li></ul></div><div id="gmail-magicdomid9" class="gmail-ace-line" style="margin:0px;padding:0px"><br style="margin:0px;padding:0px"></div><div id="gmail-magicdomid28" class="gmail-ace-line" style="margin:0px;padding:0px"><span class="gmail-" style="margin:0px;padding:1px 0px">With the VMT policy changes[0] merged, we have also updated the VMT process document[1]</span></div><div id="gmail-magicdomid29" class="gmail-ace-line" style="margin:0px;padding:0px"><span class="gmail-" style="margin:0px;padding:1px 0px">to match.  The biggest change to note is the new 90 day embargo limit:</span></div><div id="gmail-magicdomid12" class="gmail-ace-line" style="margin:0px;padding:0px"><br style="margin:0px;padding:0px"></div><div id="gmail-magicdomid30" class="gmail-ace-line" style="margin:0px;padding:0px"><span class="gmail-" style="margin:0px;padding:1px 0px">    "If a report is held in embargo for 90 days without a fix, or significant details of the report</span></div><div id="gmail-magicdomid31" class="gmail-ace-line" style="margin:0px;padding:0px"><span class="gmail-" style="margin:0px;padding:1px 0px">    are disclosed in a public venue, the embargo is terminated by a VMT coordinator at that</span></div><div id="gmail-magicdomid32" class="gmail-ace-line" style="margin:0px;padding:0px"><span class="gmail-" style="margin:0px;padding:1px 0px">    time and subsequent process switches to the public report workflow instead."</span></div><div id="gmail-magicdomid16" class="gmail-ace-line" style="margin:0px;padding:0px"><br style="margin:0px;padding:0px"></div><div id="gmail-magicdomid33" class="gmail-ace-line" style="margin:0px;padding:0px"><span class="gmail-" style="margin:0px;padding:1px 0px">We'll be updating all current private reports to let participants know that there is a 90-day deadline (from when we update the report) to make those reports public.</span></div><div id="gmail-magicdomid18" class="gmail-ace-line" style="margin:0px;padding:0px"><br style="margin:0px;padding:0px"></div><div id="gmail-magicdomid34" class="gmail-ace-line" style="margin:0px;padding:0px"><span class="gmail-" style="margin:0px;padding:1px 0px">[0] </span><span class="gmail-url" style="margin:0px;padding:1px 0px"><a href="https://review.opendev.org/#/c/678426/" style="margin:0px;padding:0px;white-space:pre-wrap">https://review.opendev.org/#/c/678426/</a></span></div><div id="gmail-magicdomid35" class="gmail-ace-line" style="margin:0px;padding:0px"><span class="gmail-" style="margin:0px;padding:1px 0px">[1] </span><span class="gmail-url" style="margin:0px;padding:1px 0px"><a href="https://security.openstack.org/vmt-process.html" style="margin:0px;padding:0px;white-space:pre-wrap">https://security.openstack.org/vmt-process.html</a></span></div><div id="gmail-magicdomid21" class="gmail-ace-line" style="margin:0px;padding:0px"><br style="margin:0px;padding:0px;color:rgb(0,0,0);font-family:"Helvetica Neue",Arial,sans-serif;font-size:12px"></div></div>