OpenStack Security Group

Time: 2011-08-18

Drafter: JarretRaim

Drafters Email: jarret.raim@rackspace.com

Status: Proposed

Problem Statement

This proposal defines a structure for the handling of security topics inside the OpenStack community. It describes a specific process for the management of vulnerabilities in the OpenStack ecosystem and a more general process for security related activities like vendor involvement, automated and penetration testing, etc. The goal is to have a defined strategy for reporting security issues from inside the community, OpenStack users and outside security researchers that allows for responsible vulnerability disclosure and recognition procedures as well as providing a place for security related conversions around OpenStack to occur.

Vulnerability Management Team

The vulnerability management group will be responsible for gathering and tracking security vulnerabilities. Their main purpose is to ensure that the appropriate Project Technical Leads (PTLs) are notified of security issues within their products and assist them in fixing those issues as needed. If a vulnerability is particularly exploitable, the vulnerability management team may choose to mark the LaunchPad issue as private until a fix has been developed and deployed by those OpenStack users who would be affected. This decision will be made in consultation with the PTLs for the affected products. In addition, the vulnerability management team will be responsible for interaction with security researchers and other reporters of security issues. In an effort to encourage researchers to disclose vulnerabilities responsibly, the team will take reports and provide recognition to the discovering researchers.

The accomplish these goals, the vulnerability management team will:

• Develop and maintain documentation of the vulnerability management & disclosure process on openstack.org/security
• Publish the names, email addresses and GPG keys of members of the team for encrypted vulnerability reports
• Manage the security issues reported in LaunchPad

The group will be made up of a small group (2 - 3) of interested OpenStack community members in the interest of limiting the exposure of any particular vulnerability.

OpenStack Security Group (OSSG)

The OpenStack Security Group (OSSG) is designed as a sub-community for OpenStack members interested in security related topics. This includes OpenStack implementors and developer like Rackspace, users and security community members. The group will be responsible for:

• Being the public face of the OpenStack project for security related issues
• Collating, defining, publishing and maintaining security policies and guidance
• Work with security vendors interested in OpenStack integration

The OSSG could use the current public mailing list or a separate list (openstack-security) to encourage discussion on security related topics including best practices, testing, documentation, compliance and other security issues facing OpenStack implementors and community members.