[StoryBoard][Security] The process to report a security bug

Jeremy Stanley fungi at yuggoth.org
Thu Apr 9 06:54:18 UTC 2020

On 2020-04-09 16:43:53 +1200 (+1200), Lingxian Kong wrote:
> As most of the projects have migrated to storyboard for bug tracking,

Most have not, actually, at last count it was nearing 50% of
OpenStack teams but I don't have exact numbers handy at the moment.

> after reading https://security.openstack.org/vmt-process.html, I have
> two questions:
> 1. I didn't find openstack/ossa or ossa project exists in storyboard.

Like in Launchpad, you report suspected vulnerabilities to the
projects in which you've found them. The VMT isn't using explicit
advisory tasks in StoryBoard at the moment, but we're still acting
on vulnerabilities reported in StoryBoard for projects with the
vulnerability:managed governance tag (at present that's Barbican,
Heat, Sahara and Trove). We get automatic access to those, but are
also happy to discuss suspected vulnerabilities in other projects as
long as you give us access to the story (click the pencil-shaped
edit icon next to the story title, then add the "openstack-security"
team to the list of "Teams and Users that can see this story" and
click the Save button).

> 2. I didn't find a place in storyboard to attach a patch.

There is work underway to add attachments support:


Right now you can just paste the patch into a story comment if the
story is private (for public stories, patches should go to Gerrit as
usual, and use a Task or Story footer in the commit message to refer
to a relevant task or story ID number). The comment field supports
markdown, so if you indent all the lines of a patch by an additional
4 spaces it will be displayed as a block of preformatted code. Use
the Toggle Preview button so you can make sure it looks the way you
expect before committing the comment. I've put an example in
storyboard-dev here:


It can be a bit unwieldy, but it's the best option we've got until
proper attachment support is finished.

> Am I missing something?

Hopefully not, but feel free to reach out to OpenStack VMT team
members directly by private E-mail (OpenPGP-encrypted to our keys if
you feel it's especially sensitive). You can find us listed at
along with high-level instructions on reporting vulnerabilities.
Some of us also generally attend the OpenStack Security SIG meeting
every Thursday at 15:00 UTC in #openstack-meeting and can be found
at various times of day in the #openstack-security IRC channel as
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200409/f84e0050/attachment.sig>

More information about the openstack-discuss mailing list