Hi, I would like the feedback from the community about applying (or not) to the vulnerability:managed tag [1]. Being part of OpenStack ecosystem and the big tent, Puppet OpenStack project might want to follow some other projects in order to be consistent in Security management procedures. I believe we should apply for the tag and start to learn about their process. I think it would be a great opportunity for us to be more involved in OpenStack best-practices, and maybe enhance the process by giving feedback to the security team. Also, it would make our security bugs managed and tracked in a more serious way than we used to do before. The main impact for our group would be to acknowledge what is documented here: https://security.openstack.org/#how-to-report-security-issues-to-openstack and taking care of the new procedure. I think we should start the discussion from here and maybe define a plan for the following months, if some audits need to be done before. Any feedback is welcome, [1] http://governance.openstack.org/reference/tags/vulnerability_managed.html -- Emilien Macchi -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 473 bytes Desc: OpenPGP digital signature URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150831/139de0a8/attachment.pgp>