Difference between revisions of "Security-SIG"
m (Text replace - "__NOTOC__" to "") |
m (→Advisory Activities: fix up wording for intro sentence to no longer omit advisories) |
||
| (49 intermediate revisions by 15 users not shown) | |||
| Line 1: | Line 1: | ||
| − | |||
<!-- ##master-page:[[HomepageTemplate]] --> | <!-- ##master-page:[[HomepageTemplate]] --> | ||
<!-- #format wiki --> | <!-- #format wiki --> | ||
<!-- #language en --> | <!-- #language en --> | ||
| − | |||
| − | |||
| − | + | Security issues, tooling, innovations and education within OpenStack are the responsibility of the Security SIG. The Security SIG is a horizontal effort within OpenStack that undertakes both technical and governance activities within OpenStack, aiming to provide guidance, information and code that enhances the overall security of the OpenStack ecosystem. | |
| − | ... | + | |
| + | == Organization and Contribution == | ||
| + | The Security SIG is built up primarily of two groups of people; those who write OpenStack code and those who try to secure OpenStack clouds! If you're interested in helping to make OpenStack more secure, either through writing better code, cross project collaboration, writing documentation or inventing cool new features and tooling - we want to hear from you! | ||
| + | |||
| + | === Leadership === | ||
| + | |||
| + | The security SIG has no formal leadership, instead it has chairs who arrange meetings and organize votes. The current chair can be found listed on the [https://governance.openstack.org/sigs/ SIG governance page]. | ||
| + | |||
| + | ==== IRC ==== | ||
| + | The security SIG has a discussion channel (#openstack-security) on the OFTC IRC network that's used for general communications, chat and the occasional user query. The security SIG meets monthly to discuss current security activities and progress on security happenings within OpenStack. We encourage new contributors to say hello during our meetings. | ||
| + | |||
| + | * [https://meetings.opendev.org/#OpenStack_Security_SIG_meeting Weekly meeting IRC information] | ||
| + | * [https://meetings.opendev.org/meetings/security/ Weekly meeting logs] | ||
| + | * [https://meetings.opendev.org/irclogs/%23openstack-security/ Logs from the #openstack-security room] | ||
| + | * [https://app.element.io/#/room%2F%23oftc_%23openstack-security%3Amatrix.org Connect to #openstack-security through the Matrix-OFTC bridge] | ||
| + | |||
| + | == Advisory Activities == | ||
| + | The Security SIG issues advisories and notes targeted at OpenStack Users and Vendors who either run or package OpenStack for use by downstream consumers. | ||
| − | + | Advisories are typically issued by the VMT, a small group of experienced developers within the Security SIG who receive, triage and release fixes for vulnerabilities in OpenStack. The final stage of fixing a vulnerability is to release a Security Advisory for the community. The OSSA details the nature of the vulnerability and the patches required to solve it. | |
| − | Security. | + | Security Notes are designed to complement the Security Advisories issued by the Vulnerability Management Team. Security notes can be issued for almost anything affecting the security of potential OpenStack deployments. In many cases a vulnerability may be reported that cannot be fixed immediately because the fix might break the API or otherwise cause service-breaking issues for downstream consumers. Often the Security SIG write notes that will guide deployers in how to best mitigate the issues when an OSSA cannot be provided. OSSNs are also issued for significant vulnerabilities in third party applications that would affect OpenStack deployments. |
| − | + | See the [https://security.openstack.org/ OpenStack security site] for the list of advisories and vulnerability management process documentation, as well as links to security note details. | |
Latest revision as of 17:47, 6 October 2022
Security issues, tooling, innovations and education within OpenStack are the responsibility of the Security SIG. The Security SIG is a horizontal effort within OpenStack that undertakes both technical and governance activities within OpenStack, aiming to provide guidance, information and code that enhances the overall security of the OpenStack ecosystem.
Organization and Contribution
The Security SIG is built up primarily of two groups of people; those who write OpenStack code and those who try to secure OpenStack clouds! If you're interested in helping to make OpenStack more secure, either through writing better code, cross project collaboration, writing documentation or inventing cool new features and tooling - we want to hear from you!
Leadership
The security SIG has no formal leadership, instead it has chairs who arrange meetings and organize votes. The current chair can be found listed on the SIG governance page.
IRC
The security SIG has a discussion channel (#openstack-security) on the OFTC IRC network that's used for general communications, chat and the occasional user query. The security SIG meets monthly to discuss current security activities and progress on security happenings within OpenStack. We encourage new contributors to say hello during our meetings.
- Weekly meeting IRC information
- Weekly meeting logs
- Logs from the #openstack-security room
- Connect to #openstack-security through the Matrix-OFTC bridge
Advisory Activities
The Security SIG issues advisories and notes targeted at OpenStack Users and Vendors who either run or package OpenStack for use by downstream consumers.
Advisories are typically issued by the VMT, a small group of experienced developers within the Security SIG who receive, triage and release fixes for vulnerabilities in OpenStack. The final stage of fixing a vulnerability is to release a Security Advisory for the community. The OSSA details the nature of the vulnerability and the patches required to solve it.
Security Notes are designed to complement the Security Advisories issued by the Vulnerability Management Team. Security notes can be issued for almost anything affecting the security of potential OpenStack deployments. In many cases a vulnerability may be reported that cannot be fixed immediately because the fix might break the API or otherwise cause service-breaking issues for downstream consumers. Often the Security SIG write notes that will guide deployers in how to best mitigate the issues when an OSSA cannot be provided. OSSNs are also issued for significant vulnerabilities in third party applications that would affect OpenStack deployments.
See the OpenStack security site for the list of advisories and vulnerability management process documentation, as well as links to security note details.
