[Openstack-security] criteria for downstream stakeholders?
Jeremy Stanley
fungi at yuggoth.org
Tue Feb 17 23:33:15 UTC 2015
On 2015-02-17 15:12:33 -0800 (-0800), Ben Pfaff wrote:
> Hi. I'm a contributor to Open vSwitch. Over in OVS, we're forming a
> vulnerability management process, modeled on the one used in OpenStack
> described at https://wiki.openstack.org/wiki/Vulnerability_Management.
>
> We're trying to figure out what criteria to use for deciding what
> companies or organizations qualify as downstream stakeholders. Can
> anyone tell us what criteria or policy OpenStack uses?
It's mostly a self-selecting lot. The OpenStack VMT primarily
expects requests for inclusion from public service providers and
representatives from operating systems/distributions who are
repackaging our software. The goal is to make sure that anyone who
needs to prepare or integrate patches into their systems prior to
public disclosure (so as to reduce the duration of risk to exposed
systems) can safely do so while still minimizing the number of
people who can possibly leak that same information. We don't really
have an explicit policy around exactly who we can approve, since
situations vary and we need to be flexible to accommodate them.
--
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20150217/d12ad95e/attachment.sig>
More information about the Openstack-security
mailing list