[Openstack-security] OpenStack Security Group representation to the VMT
Jeremy Stanley
fungi at yuggoth.org
Wed Nov 20 14:59:59 UTC 2013
On 2013-11-20 12:02:25 +0100 (+0100), Thierry Carrez wrote:
[...]
> Right, the current policy is a middle ground reflecting what our
> community is capable of delivering. As we improve on that we'll be
> able to cover a larger scope and have more aggressive deadlines...
> but there is no point in promising things that our community isn't
> capable of delivering.
Right--the alternative I was driving at was whether there should be
some age after which a vulnerability becomes public regardless of
whether or not it's fixed. I expect that to be a contentious
proposition, but it makes a good straw man/devil's advocate position
to point out that there are things the VMT can control (such as
public disclosure timeline) and things they can't (getting bugs
fixed by a certain deadline). Any time-based policies we enact would
have to be for the former, since as you and Robert pointed out any
statements on the latter would be at best guidelines to measure our
security response performance as a community.
--
Jeremy Stanley
More information about the Openstack-security
mailing list