[StoryBoard][Security] The process to report a security bug

Lingxian Kong anlin.kong at gmail.com
Thu Apr 9 09:55:35 UTC 2020

Thanks Jeremy for the instructions, as suggested, I've added
'openstack-security' team to access the storyboard task and paste the
code change as a comment.

I am still hoping the process could be documented in the right place in
case someone else is in the similar situation as me.

Best regards,
Lingxian Kong
Catalyst Cloud

On Thu, Apr 9, 2020 at 7:01 PM Jeremy Stanley <fungi at yuggoth.org> wrote:

> On 2020-04-09 16:43:53 +1200 (+1200), Lingxian Kong wrote:
> > As most of the projects have migrated to storyboard for bug tracking,
> Most have not, actually, at last count it was nearing 50% of
> OpenStack teams but I don't have exact numbers handy at the moment.
> > after reading https://security.openstack.org/vmt-process.html, I have
> > two questions:
> >
> > 1. I didn't find openstack/ossa or ossa project exists in storyboard.
> Like in Launchpad, you report suspected vulnerabilities to the
> projects in which you've found them. The VMT isn't using explicit
> advisory tasks in StoryBoard at the moment, but we're still acting
> on vulnerabilities reported in StoryBoard for projects with the
> vulnerability:managed governance tag (at present that's Barbican,
> Heat, Sahara and Trove). We get automatic access to those, but are
> also happy to discuss suspected vulnerabilities in other projects as
> long as you give us access to the story (click the pencil-shaped
> edit icon next to the story title, then add the "openstack-security"
> team to the list of "Teams and Users that can see this story" and
> click the Save button).
> > 2. I didn't find a place in storyboard to attach a patch.
> There is work underway to add attachments support:
> https://review.opendev.org/#/q/topic:story-attachments
> Right now you can just paste the patch into a story comment if the
> story is private (for public stories, patches should go to Gerrit as
> usual, and use a Task or Story footer in the commit message to refer
> to a relevant task or story ID number). The comment field supports
> markdown, so if you indent all the lines of a patch by an additional
> 4 spaces it will be displayed as a block of preformatted code. Use
> the Toggle Preview button so you can make sure it looks the way you
> expect before committing the comment. I've put an example in
> storyboard-dev here:
> https://storyboard-dev.openstack.org/#!/story/1831449
> It can be a bit unwieldy, but it's the best option we've got until
> proper attachment support is finished.
> > Am I missing something?
> Hopefully not, but feel free to reach out to OpenStack VMT team
> members directly by private E-mail (OpenPGP-encrypted to our keys if
> you feel it's especially sensitive). You can find us listed at
> https://security.openstack.org/#how-to-report-security-issues-to-openstack
> along with high-level instructions on reporting vulnerabilities.
> Some of us also generally attend the OpenStack Security SIG meeting
> every Thursday at 15:00 UTC in #openstack-meeting and can be found
> at various times of day in the #openstack-security IRC channel as
> well.
> --
> Jeremy Stanley
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200409/e211f098/attachment.html>

More information about the openstack-discuss mailing list