[openstack-dev] [kolla][security] Obtaining the vulnerability:managed tag

Steven Dake (stdake) stdake at cisco.com
Tue Mar 1 21:08:24 UTC 2016


Thank you for your offer, but I believe the VMT kolla-coresec team must be formed from core reviewers or I'd ask Dave Mccowan to consider an invitation.

The text that I think this comes from is:
Deliverables with more than five core reviewers should (so as to limit the unnecessary exposure of private reports) settle on a subset of these to act as security core reviewers whose responsibility it is to be able to confirm whether a bug report is accurate/applicable or at least know other subject matter experts they can in turn subscribe to perform those activities in a timely manner

It is pretty easy to become a core reviewer in Kolla over time but it requires doing consistently proven good reviewing of the code going into the repository, consistent irc participation, as well as implementation work.

If your interested, please join us on IRC and begin the process :)


From: Adam Heczko <aheczko at mirantis.com<mailto:aheczko at mirantis.com>>
Reply-To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Date: Tuesday, March 1, 2016 at 1:57 PM
To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Subject: Re: [openstack-dev] [kolla][security] Obtaining the vulnerability:managed tag

Hi Steven,
I'd like to help you with vulnerability management process of Kolla and become a member of Kolla VMT team.
I have experience and expertise in IT security and related to it processes.

Best regards,


On Tue, Mar 1, 2016 at 5:55 PM, Steven Dake (stdake) <stdake at cisco.com<mailto:stdake at cisco.com>> wrote:
Core reviewers,

Please review this document:

It describes how vulnerability management is handled at a high level for Kolla.  When we are ready, I want the kolla delivery repos vulnerabilities to be managed by the VMT team.  By doing this, we standardize with other OpenStack processes for handling security vulnerabilities.

The first step is to form a kolla-coresec team, and create a separate kolla-coresec tracker.  I have already created the tracker for kolla-coresec and the kolla-coresec team in launchpad:



I have a history of security expertise, and the PTL needs to be on the team as an escalation point as described in the VMT tagging document above.  I also need 2-3 more volunteers to join the team.  You can read the requirements of the job duties in the vulnerability:managed tag.

If your interested in joining the VMT team, please respond on this thread.  If there are more then 4 individuals interested in joining this team, I will form the team from the most active members based upon liberty + mitaka commits, reviews, and PDE spent.


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe<http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>

Adam Heczko
Security Engineer @ Mirantis Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160301/7c80e11c/attachment-0001.html>

More information about the OpenStack-dev mailing list