[Openstack-security] OpenStack Security Group representation to the VMT
Russell Bryant
rbryant at redhat.com
Tue Nov 19 23:38:05 UTC 2013
On 11/19/2013 06:31 PM, Jeffrey Walton wrote:
> On Tue, Nov 19, 2013 at 2:18 PM, Bryan D. Payne <bdpayne at acm.org> wrote:
>>> I also wanted to know if it is OK for someone to join these calls as
>>> observers (as a learning experience).
>>
>>
>> Unfortunately not. The primary purpose of all of this is to minimize the
>> number of people that know about vulnerabilities in OpenStack before they
>> are fixed. Hence the aim to keep the number of people involved to a small
>> group.
> Is there an upper bound on the time-before-disclosure?
>
> I've seen Apple, IBM, and Microsoft and others take [literally] years
> to fix vulnerabilities. In this case, only the VMT and adversaries
> will know about the hole. I believe leaving a vulnerability
> unmitigated for years is a detriment to the deployment base, and not a
> benefit.
https://wiki.openstack.org/wiki/Vulnerability_Management
--
Russell Bryant
More information about the Openstack-security
mailing list