Open Stack

[...]

> I would really like to get to the point where we can have at least a
> target time-to-fix based on the vulnerability severity (like "High
should
> be fixed and pushed out in less than 20 days"). That way we can at
least
> measure how good or bad we are doing. The key to that, IMHO, is to
> have someone whose *primary* job is to make sure we reach those
> objectives - a security coordinator. I'm confident we'll soon have the
> resources to make that happen.

A target time to fix, once a vulnerability has been confirmed would be a
good step to take. I'm not sure it could ever be something more than a
guideline though with so much difference between the projects it'll be
virtually impossible to impose any sort of cross-project time limit. 

> 
> And before anyone says "hey, I can help", please consider it's an
> extremely specific and time-consuming job. I'd definitely consider new
> candidates, but we have had a number of people trying to help the VMT
> in the past and most of them failed to handle more than one
> vulnerability over the course of their involvement... so I'm getting
picky.
> People with open source SRT experience are definitely preferred, since
> they know what this thankless job is about :)

I can second this. I think this is almost a full time job, as time goes
on I expect that the number of vulnerabilities identified in OpenStack
will increase somewhat and the ideal candidate would not only be very
good security wise but intimately familiar with the OpenStack projects,
where fixes need to be made and the right people to engage with to make
fixes happen quickly - there aren't many people around that fit the
bill!


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6187 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20131120/2f178fb5/attachment.bin>