On 2025-12-30 11:55:35 +0530 (+0530), Umbrella Corporation wrote:
i found a vulnerability in your git repo
Let me save you some time: You almost certainly haven't. Every exploitable security vulnerability we've issued advisories for has been noticed through people using the software (or by penetration testing professionals they've contracted with), not by random researchers running scripts scanning Git repositories in hopes of striking it rich.
so if i reported bugs and vulnerabilities can i get a reward bounty ?
In short, no. OpenStack is a community-run free/libre open source project. We gladly accept reports of suspected vulnerabilities, especially if they come with confirmed exploit scenarios and an interest in helping us implement relevant fixes, but we do not have any sort of bounty or reward program. From what I've seen in other projects which have tried it, they get quickly overrun by worthless reports full of nothing but automated scans and LLM hallucinations (we get enough of those already without encouraging more). Our instructions for submitting reports of suspected vulnerabilities are at https://security.openstack.org/reporting.html but please don't submit a bug that's just the result of you running a code scanner over our Git repositories. We're perfectly capable of doing that already. If you use the software and confirm that you're able to make it do something unexpected and dangerous like crash a running service or escalate privileges based on untrusted user input, grant access to private data belonging to other tenants in the service, et cetera, then please file a private security bug report about it. To reiterate: please don't file bugs about theoretical problems you haven't at least tried to exploit on a running system, it wastes maintainer time, something we have precious little of, which could be better spent addressing actual confirmed bugs we're already struggling to manage on a daily basis. Thanks! -- Jeremy Stanley, OpenStack Vulnerability Coordinator