Open Stack

The Vulnerability Management Team (VMT) has recently updated the
vulnerability:managed policy[0] here, the key points are:


   - Softened our #5 policy from a hard requirement to a recommendation


   - Clarified that the VMT does not track external software components


   - Defined that a project must tag releases to qualify for VMT oversight,
   and that the VMT only deals with vulnerabilities in real releases (not
   pre-releases, release candidates, milestones...)


   - Private embargo's shall not last more than 90 days, except under
   unusual circumstances


With the VMT policy changes[0] merged, we have also updated the VMT process
document[1]
to match.  The biggest change to note is the new 90 day embargo limit:

    "If a report is held in embargo for 90 days without a fix, or
significant details of the report
    are disclosed in a public venue, the embargo is terminated by a VMT
coordinator at that
    time and subsequent process switches to the public report workflow
instead."

We'll be updating all current private reports to let participants know that
there is a 90-day deadline (from when we update the report) to make those
reports public.

[0] https://review.opendev.org/#/c/678426/
[1] https://security.openstack.org/vmt-process.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200220/424fadd9/attachment.html>