Open Stack

On 2017-01-17 13:26:02 +0100 (+0100), Julien Danjou wrote:
> I've asked on #openstack-security without success, so let me try here
> insteead:
> 
> We, Telemetry, have a security bug and we're not managed by VMT, any
> hint as how to handle our bug? Or how to get covered by VMT? 😊

Others have already answered most of your questions in this thread,
but since nobody from the VMT has chimed in yet I'll just state on
our behalf that we're generally happy to consult privately or
publicly on any suspected vulnerability report within the OpenStack
ecosystem (and sometimes beyond). If you subscribe
openstack-vuln-mgmt (OpenStack Vulnerability Management team) on
Launchpad to the private bug in question we'll get notified
automatically and take a look. For deliverables with the
vulnerability:managed governance tag this happens automatically and
we prioritize our time toward those, but we're available to help on
others as well on a best-effort basis and time permitting.

The VMT's process document exists primarily for the purposes of
transparency, and outlines the steps we follow and templates we use
when triaging suspected vulnerabilities for OpenStack deliverables
with the vulnerability:managed governance tag. It's also usable in
great part by other deliverables, and though the VMT doesn't
officially take responsibility for those we're still usually able to
help take you through the process and answer questions. If you need
to reach us through a secure channel, E-mail addresses and
corresponding OpenPGP keys are published at
https://security.openstack.org/#how-to-report-security-issues-to-openstack
for anyone who needs them.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170117/3b25de77/attachment.pgp>