[openstack-dev] [security] [telemetry] How to handle security bugs

Julien Danjou julien at danjou.info
Tue Jan 17 18:00:25 UTC 2017


On Tue, Jan 17 2017, Jeremy Stanley wrote:

> Others have already answered most of your questions in this thread,
> but since nobody from the VMT has chimed in yet I'll just state on
> our behalf that we're generally happy to consult privately or
> publicly on any suspected vulnerability report within the OpenStack
> ecosystem (and sometimes beyond). If you subscribe
> openstack-vuln-mgmt (OpenStack Vulnerability Management team) on
> Launchpad to the private bug in question we'll get notified
> automatically and take a look. For deliverables with the
> vulnerability:managed governance tag this happens automatically and
> we prioritize our time toward those, but we're available to help on
> others as well on a best-effort basis and time permitting.
>
> The VMT's process document exists primarily for the purposes of
> transparency, and outlines the steps we follow and templates we use
> when triaging suspected vulnerabilities for OpenStack deliverables
> with the vulnerability:managed governance tag. It's also usable in
> great part by other deliverables, and though the VMT doesn't
> officially take responsibility for those we're still usually able to
> help take you through the process and answer questions. If you need
> to reach us through a secure channel, E-mail addresses and
> corresponding OpenPGP keys are published at
> https://security.openstack.org/#how-to-report-security-issues-to-openstack
> for anyone who needs them.

Amazing feedback, thanks Jeremy.

-- 
Julien Danjou
/* Free Software hacker
   https://julien.danjou.info */
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170117/ff9db1eb/attachment.pgp>


More information about the OpenStack-dev mailing list