Security/Security Note Process
This page describes the process that should be followed for writing and publishing an OpenStack Security Note (OSSN). This page is intended to be used by members of the OpenStack Security Group.
Writing
Template
Reviewing
A Security Note should be reviewed by at least one other member of the OpenStack Security Group as well as the PTL from any projects related to the Security Note. When a Security Note is ready for review, the draft should be entered as a comment in the OSSN bug in Launchpad. The reviewers should give their approval or feedback on required changes in the Launchpad bug.
Publishing
Once a Security Note has been approved by the appropriate reviewers, it is ready to be published. Security Notes are published in two places:
- OpenStack mailing lists
- OpenStack wiki
Post-mortem Tasks
Once a Security Note has been published, it is a good idea to see if the OpenStack Security Guide or Security Guidelines could be improved to help prevent issues similar to the issue form the Security Note.