Jump to: navigation, search

Security/Security Note Process

< Security
Revision as of 02:55, 13 January 2014 by Nkinder (talk | contribs)

This page describes the process that should be followed for writing and publishing an OpenStack Security Note (OSSN). This page is intended to be used by members of the OpenStack Security Group.

Writing

Template

The following can be used as a template for writing a new Security Note. This is the format that should be used for publishing to the OpenStack mailing lists. 

Title (single sentence)
---

### Summary ###
A few sentences describing the issue at a high level.

### Affected Services / Software ###
A comma separated list of affected services and OpenStack releases.
 
### Discussion ###
A detailed discussion of the problem.  This should have enough detail that the person reading can determine
if their deployment is affected, when the problem was introduced, and what types of attacks/problems that an
affected deployment would be exposed to.

### Recommended Actions ###
A detailed description of what can be done to remediate the problem (if possible).  If the recommendation
involves configuration changes, example snippets of configuration files should be included here.

### Contacts / References ###
This OSSN : <link to launchpad OSSN bug>
Original LaunchPad Bug : <link to launchpad bug for affected project/service>
OpenStack Security ML : openstack-security@lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
CVE: <CVE number if one was filed>

Reviewing

A Security Note should be reviewed by at least one other member of the OpenStack Security Group as well as the PTL from any projects related to the Security Note. When a Security Note is ready for review, the draft should be entered as a comment in the OSSN bug in Launchpad. The reviewers should give their approval or feedback on required changes in the Launchpad bug.

Publishing

Once a Security Note has been approved by the appropriate reviewers, it is ready to be published. Security Notes are published in two places:

  • OpenStack mailing lists
  • OpenStack wiki

Post-mortem Tasks

Once a Security Note has been published, it is a good idea to see if the OpenStack Security Guide or Security Guidelines could be improved to help prevent issues similar to the issue form the Security Note.

Retrieved from "https://wiki.openstack.org/w/index.php?title=Security/Security_Note_Process&oldid=39555"