Hi all,

I'm writing on behalf of the Vulnerability Management Team (VMT). We often use the ${project}-coresec teams to determine who is best to help triage initial issues. These groups do not appear to be universally up to date.

If you are in charge of a repo managed by the VMT ( https://security.openstack.org/repos-overseen.html#repositories-overseen ) please ensure the associated launchpad ${project}-coresec group has active, trusted members of your community -- or otherwise reach out to the VMT in #openstack-security to arrange other contacts if needed. For example, https://launchpad.net/~ironic-coresec/+members contains four longtime Ironic cores and former PTLs. (I'll note: I likely need to audit the equivalent group for Ironic-adjacent repos, and will do that after hitting send).

This is extremely important! If we can't get an issue triaged and dealt with in time, it gets opened to the public.

If there's any questions, feel free to respond here or reach out in #openstack-security on OFTC.

Thanks,

Jay Faulkner