[openstack-dev] Announcement - "The Security Team" for OpenStack

Clark, Robert Graham robert.clark at hp.com
Thu Apr 2 11:55:05 UTC 2015


The OpenStack Security Group (OSSG) and the OpenStack Vulnerability Management
Team (VMT) have historically operated as independent teams, each with a focus on
different aspects of OpenStack security. To present a more coherent security
posture we are pleased to announce that the OSSG and VMT will be joining forces.

It is our hope that this merging of teams will help present a stronger and more
mature security posture, both to the outside world and within OpenStack, and
will make it easier for developers to engage with the security resources they
need.

Moving forward, the OSSG and VMT combined will apply to become a recognized
project within OpenStack. We seek to mirror the successes of the documentation
team and will be applying to become known simply as 'Security'.

We are excited about the new opportunities this creates and are hopeful that it
gives OpenStack a clearer security message.

What is changing? 

Initially a huge work effort will be undertaken to restructure and rebrand
existing documentation which will eventually be hosted under a new subdomain of
openstack.org [1]. This will allow developers and consumers of OpenStack to
easily find security resources such as the OpenStack Security Advisories, the
Security Guide, Security Notes and Best Practices.

Does this change how I report security issues? 

No. The existing vulnerability management process [2], and team members will
remain the same. The VMT will maintain its independence and will continue to
operate with the same level of confidentiality as before. 

How can I get involved? 

The security group is always looking for enthusiastic new members; there's a
wiki article on how to get involved[3]. If you are interested, please come along
to the weekly IRC meeting, or just start contributing.

Asking the security group questions? 

Any general security questions that do not relate to a vulnerability within the
OpenStack code base should be sent to the openstack-dev at lists.openstack.org
address with the [security] in the subject line.


1. https://security.openstack.org
2. https://wiki.openstack.org/wiki/Vulnerability_Management
3. https://wiki.openstack.org/wiki/Security/How_To_Contribute



More information about the OpenStack-dev mailing list