[Openstack-security] Where do we stand on formal process for classifying the severity of security bugs?
Thierry Carrez
thierry at openstack.org
Mon Aug 25 16:03:46 UTC 2014
Sriram Subramanian wrote:
> I am at the OpenStack Ops Midcyle Meetup in San Antonio and asked to
> moderate the Security session here (like how Bryan and I did in Atlanta).
>
> I am looking at feedback from Atlanta meetup and one of the feedback
> from operators was regarding more clarity on the classification.
>
> I see some note saying "need to work on formal process'. What is our
> current status on the same?
Rob proposed something based on CVSS, but I've yet to see a process that
we could include as part of the vulnerability management team processes.
--
Thierry Carrez (ttx)
More information about the Openstack-security
mailing list