[dev][security-sig][tc] Please follow up on privately reported defects

Jeremy Stanley fungi at yuggoth.org
Tue Jul 26 15:38:26 UTC 2022

First, a huge thank you to everyone who is staying on top of reports
of suspected security vulnerabilities! Unfortunately, not everyone
has been, which is the reason for this E-mail.

It's common practice that, if someone finds a problem in software
which they think might be an exploitable security vulnerability,
they report it initially in private in order to give the project's
maintainers an opportunity to correct things and have patches ready
before it becomes common knowledge. This works okay as long as
people actually look at these privately reported bugs (or at the
project's bugs at all).

For OpenStack deliverables whose maintainers opt them into VMT
oversight[*], these private reports are initially handled by a
vulnerability coordinator in order to make sure that they're
probably reported against the correct project, that the project
maintainers who have volunteered to handle those sorts of reports
are correctly subscribed, and that everyone is reminded of the
ground rules and timetable for resolving reports under such an
embargo. For other OpenStack deliverables, VMT members may still
weigh in on those private reports and offer assistance or guidance
on handling and reporting procedures. Our VMT members do not,
however, have sufficient time in their day to keep individually
reaching out to project maintainers in order to remind them to do
their part.

OpenStack is a community which has optimized around transparency and
public collaboration, so it's not surprising that confirming bugs
and reviewing changes in private is clunky and unpleasant. This is,
if anything, a reason to prioritize triaging private bug reports in
order to make sure they're really a bug (not just a misunderstanding
or misconfiguration), and represent a severe enough risk to warrant
continued handling in secret. Many of the private bug reports
currently pending could probably be switched to public and even
perhaps closed today, if maintainers for their projects would just
find a moment to take a look at them. For the ones which can't be
handled right away, at least leave a quick comment letting the
reporter and the VMT members know you're taking a look, or any first
impressions or questions you might have.

If you're interested in helping a project resolve reported
vulnerabilities and aren't yet a member of their security review
team in the appropriate bug tracker (usually *-coresec in LP or
openstack-security-* in SB), then please reach out to the
appropriate PTL and let them know. If you're a PTL and you were
never made a member of the security review team for your project or
are having trouble adding willing volunteers, please follow up here
on the ML or feel free to reach out to me directly for assistance.

For those who read this far, thank you for your time, and please
remember to follow up on those bugs!

[*] https://security.openstack.org/repos-overseen.html
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20220726/a93730c5/attachment-0001.sig>

More information about the openstack-discuss mailing list