Open Stack

On Tue, Feb 17, 2015 at 11:33:15PM +0000, Jeremy Stanley wrote:
> On 2015-02-17 15:12:33 -0800 (-0800), Ben Pfaff wrote:
> > Hi.  I'm a contributor to Open vSwitch.  Over in OVS, we're forming a
> > vulnerability management process, modeled on the one used in OpenStack
> > described at https://wiki.openstack.org/wiki/Vulnerability_Management.
> > 
> > We're trying to figure out what criteria to use for deciding what
> > companies or organizations qualify as downstream stakeholders.  Can
> > anyone tell us what criteria or policy OpenStack uses?
> 
> It's mostly a self-selecting lot. The OpenStack VMT primarily
> expects requests for inclusion from public service providers and
> representatives from operating systems/distributions who are
> repackaging our software. The goal is to make sure that anyone who
> needs to prepare or integrate patches into their systems prior to
> public disclosure (so as to reduce the duration of risk to exposed
> systems) can safely do so while still minimizing the number of
> people who can possibly leak that same information. We don't really
> have an explicit policy around exactly who we can approve, since
> situations vary and we need to be flexible to accommodate them.

Thanks.

Have you run into any gray areas?  Of the 11 requests we've had so
far, 7 of them are from very big companies who should obviously be
included.  The remaining 4 are harder to judge because they are from
companies that we have not heard of.  They seem to check out at first
glance, that is, they show up on Google and have websites that don't
"look" fraudulent etc., but I have no way really to verify that.

The risk here is notifying someone dishonest or careless a few days
early.  It sounds like that's not something you're too worried about?
I don't know how to judge it, myself.

Thanks,

Ben.