[Openstack-operators] [tc][security] Proposal to change the CVE embargo window
Doug Hellmann
doug at doughellmann.com
Tue Jan 26 15:18:05 UTC 2016
Excerpts from John Dickinson's message of 2016-01-25 10:58:19 -0800:
> I'd like to lengthen the embargo window on CVE disclosures.
>
> Currently, the process is this (https://security.openstack.org/vmt-process.html):
>
> 1. A security bug is reported (and confirmed as valid)
> 2. A patch is developed an reviewed
> 3. After the proposed fix is approved by reviewers, A CVE is filed
> 4. 3-5 business days later, the vulnerability is disclosed publicly and the patches are landed upstream
>
> The problem as I see it is that the 3 to 5 day embargo is way too short. Specifically, for those supporting OpenStack projects in a product, the short embargo does not allow sufficient time for applying, testing, and staging the fix in time for the disclosure. This leaves end-users and deployers with the situation of having a publicly announced security vulnerability without any hope of having a fix.
>
> I would like the embargo period to be lengthened to be 2 weeks.
>
> --John
I wasn't involved in the discussions that set the current embargo
window. Do we have a record of why that length of time was selected?
Was it based on feedback at the time? I don't have a problem with
lengthening the window, if the security team agrees, but I'd like
to understand how the current window was established.
Doug
More information about the OpenStack-operators
mailing list