First, a huge thank you to everyone who is staying on top of reports of suspected security vulnerabilities! Unfortunately, not everyone has been, which is the reason for this E-mail. It's common practice that, if someone finds a problem in software which they think might be an exploitable security vulnerability, they report it initially in private in order to give the project's maintainers an opportunity to correct things and have patches ready before it becomes common knowledge. This works okay as long as people actually look at these privately reported bugs (or at the project's bugs at all). For OpenStack deliverables whose maintainers opt them into VMT oversight[*], these private reports are initially handled by a vulnerability coordinator in order to make sure that they're probably reported against the correct project, that the project maintainers who have volunteered to handle those sorts of reports are correctly subscribed, and that everyone is reminded of the ground rules and timetable for resolving reports under such an embargo. For other OpenStack deliverables, VMT members may still weigh in on those private reports and offer assistance or guidance on handling and reporting procedures. Our VMT members do not, however, have sufficient time in their day to keep individually reaching out to project maintainers in order to remind them to do their part. OpenStack is a community which has optimized around transparency and public collaboration, so it's not surprising that confirming bugs and reviewing changes in private is clunky and unpleasant. This is, if anything, a reason to prioritize triaging private bug reports in order to make sure they're really a bug (not just a misunderstanding or misconfiguration), and represent a severe enough risk to warrant continued handling in secret. Many of the private bug reports currently pending could probably be switched to public and even perhaps closed today, if maintainers for their projects would just find a moment to take a look at them. For the ones which can't be handled right away, at least leave a quick comment letting the reporter and the VMT members know you're taking a look, or any first impressions or questions you might have. If you're interested in helping a project resolve reported vulnerabilities and aren't yet a member of their security review team in the appropriate bug tracker (usually *-coresec in LP or openstack-security-* in SB), then please reach out to the appropriate PTL and let them know. If you're a PTL and you were never made a member of the security review team for your project or are having trouble adding willing volunteers, please follow up here on the ML or feel free to reach out to me directly for assistance. For those who read this far, thank you for your time, and please remember to follow up on those bugs! [*] https://security.openstack.org/repos-overseen.html -- Jeremy Stanley