[openstack-dev] [kolla][security][release] Obtaining the vulnerability:managed tag

Jeremy Stanley fungi at yuggoth.org
Fri Mar 4 00:14:40 UTC 2016


On 2016-03-03 23:57:04 +0000 (+0000), Steven Dake (stdake) wrote:
[...]
> If anything in this email is wrong, feel free to correct me and
> get us on the right track.
[...]

Sounds on track to me. The goal of having some guidelines for this
was mainly just to try and avoid the VMT taking responsibility for a
project and then immediately having it become a huge burden due to
obvious latent vulnerabilities, lack of subject matter expert
developers available to triage those which do get reported, et
cetera. It's an attempt to ensure some up-front due diligence so
that we're not taking on more than we can reasonably handle, since
the VMT is by design a constrained team centrally assigning
identifiers, tracking the state of outstanding embargoes and
privately curating impact descriptions for later inclusion in public
advisories.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160304/4f2d1501/attachment.pgp>


More information about the OpenStack-dev mailing list