On 2021-03-26 16:52:52 -0500 (-0500), Ben Nemec wrote: [...]
I have added the openstack-vuln-mgmt team to most of the Oslo projects.
Great, happy to help there.
I apparently don't have permission to change settings in oslo.policy,
This is maintained by oslo-policy-core which has Adam as its owner and only administrator, so he's currently the only one who can add more members to that group though any one of the group members could help us by switching the oslo.core maintainer to some other group owned by openstack-admins if Adam can't be reached to make openstack-admins the owner of oslo-policy-core.
oslo.windows,
Similarly, maintainer is oslo-windows-drivers which has Claudiu as its owner and only administrator, but the project maintainer could optionally be adjusted to another group by Alessandro if Claudiu can't be reached.
and taskflow,
Maintained by the taskflow-dev group for which Joshua is the owner and only administrator, but there are a lot of group members one of whom could switch the project maintainer for you.
so I will need help with that. After going through all of the projects, my guess is that the individual people who have access to the private security bugs are the ones who created the project in the first place. I guess that's fine, but there's an argument to be made that some of those should be cleaned up too.
In all three cases, I expect the people who have access to these are no longer active in OpenStack, so yes getting them fixed would be a "good idea."
I also noticed that oslo-coresec is not listed in most of the projects. Is there any sort of global setting that should give coresec memebers access to private security bugs, or do I need to add that to each project?
You'd have to add it separately to each of them, yes. Though for any with VMT oversight, we suggest you not do that and instead let one of the vulnerability coordinators subscribe your security reviewer group after we've confirmed the report isn't misdirected at the wrong project, in order to minimize unnecessary initial spread of sensitive information. -- Jeremy Stanley