[security] Vulnerability Management Policy Changes

Gage Hugo gagehugo at gmail.com
Thu Feb 20 21:42:55 UTC 2020

The Vulnerability Management Team (VMT) has recently updated the
vulnerability:managed policy[0] here, the key points are:

   - Softened our #5 policy from a hard requirement to a recommendation

   - Clarified that the VMT does not track external software components

   - Defined that a project must tag releases to qualify for VMT oversight,
   and that the VMT only deals with vulnerabilities in real releases (not
   pre-releases, release candidates, milestones...)

   - Private embargo's shall not last more than 90 days, except under
   unusual circumstances

With the VMT policy changes[0] merged, we have also updated the VMT process
to match.  The biggest change to note is the new 90 day embargo limit:

    "If a report is held in embargo for 90 days without a fix, or
significant details of the report
    are disclosed in a public venue, the embargo is terminated by a VMT
coordinator at that
    time and subsequent process switches to the public report workflow

We'll be updating all current private reports to let participants know that
there is a 90-day deadline (from when we update the report) to make those
reports public.

[0] https://review.opendev.org/#/c/678426/
[1] https://security.openstack.org/vmt-process.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200220/424fadd9/attachment.html>

More information about the openstack-discuss mailing list