[Openstack-operators] [tc][security] Proposal to change the CVE embargo window

John Dickinson me at not.mn
Mon Jan 25 18:58:19 UTC 2016

I'd like to lengthen the embargo window on CVE disclosures.

Currently, the process is this (https://security.openstack.org/vmt-process.html):

  1. A security bug is reported (and confirmed as valid)
  2. A patch is developed an reviewed
  3. After the proposed fix is approved by reviewers, A CVE is filed
  4. 3-5 business days later, the vulnerability is disclosed publicly and the patches are landed upstream

The problem as I see it is that the 3 to 5 day embargo is way too short. Specifically, for those supporting OpenStack projects in a product, the short embargo does not allow sufficient time for applying, testing, and staging the fix in time for the disclosure. This leaves end-users and deployers with the situation of having a publicly announced security vulnerability without any hope of having a fix.

I would like the embargo period to be lengthened to be 2 weeks.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20160125/3a442c47/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20160125/3a442c47/attachment.pgp>

More information about the OpenStack-operators mailing list