[Openstack] Vulnerability Management concerns: negativity & count

Mark McLoughlin markmc at redhat.com
Fri Nov 25 07:26:02 UTC 2011


Hi Thierry,

On Thu, 2011-11-24 at 16:30 +0100, Thierry Carrez wrote:
> Lloyd Dewolf wrote:
> > [...]
> > I do have a couple of serious concerns:
> > [...]
> > Every sentence in the first paragraph is dripping with negativity
> > - "will not give prior notice to their employer"
> > - "not about getting advance notice"
> > - "reduce the disclosure of vulnerability in the early stages"
> 
> This page is work in progress policy for the vulnerability management
> team.

I think you've done a great job on this team and its processes. For me,
any negativity in the wording of the first paragraph was offset by the
very precise and sensible process description which followed :)

I went ahead and gave a shot at tweaking the paragraph to be a bit more
positive:

  http://wiki.openstack.org/VulnerabilityManagement

  Members of the team are independent and security-minded folks who 
  ensure that vulnerabilities are dealt with in a timely manner and that
  downstream users are notified in a coordinated and fair manner. Where
  a member of the team is employed by a downstream user, the member does
  not give their employer prior notice of any vulnerabilities. In order
  to reduce the disclosure of vulnerability in the early stages,
  membership of this team is intentionally limited to a maximum of 3
  people.

I'm pretty sure I've kept your intended meaning?

Cheers,
Mark.





More information about the Openstack mailing list