[Openstack-security] OpenStack Security Group representation to the VMT
Jeffrey Walton
noloader at gmail.com
Tue Nov 19 23:31:11 UTC 2013
On Tue, Nov 19, 2013 at 2:18 PM, Bryan D. Payne <bdpayne at acm.org> wrote:
>> I also wanted to know if it is OK for someone to join these calls as
>> observers (as a learning experience).
>
>
> Unfortunately not. The primary purpose of all of this is to minimize the
> number of people that know about vulnerabilities in OpenStack before they
> are fixed. Hence the aim to keep the number of people involved to a small
> group.
Is there an upper bound on the time-before-disclosure?
I've seen Apple, IBM, and Microsoft and others take [literally] years
to fix vulnerabilities. In this case, only the VMT and adversaries
will know about the hole. I believe leaving a vulnerability
unmitigated for years is a detriment to the deployment base, and not a
benefit.
Jeff
More information about the Openstack-security
mailing list