Difference between revisions of "Vulnerability Management"
| Line 6: | Line 6: | ||
This team is responsible for coordinating the progressive disclosure of a vulnerability: | This team is responsible for coordinating the progressive disclosure of a vulnerability: | ||
| − | # | + | Members of the team are independent and security-minded folks that will '''not''' give prior notice to their employer before other downstream users. |
| − | # Warn | + | |
| − | + | == Process == | |
| + | |||
| + | === From Encrypted email === | ||
| + | |||
| + | {| border="1" cellpadding="2" cellspacing="0" | ||
| + | |<#eeeeee>| Phase | ||
| + | |- | ||
| + | | Receive encrypted email from original reporter | ||
| + | |- | ||
| + | | Warn PTL of affected project, confirmation of impact | ||
| + | |- | ||
| + | | Create security-restricted Launchpad bug entry | ||
| + | |} | ||
| + | |||
| + | === From Launchpad bug entry === | ||
| + | |||
| + | {| border="1" cellpadding="2" cellspacing="0" | ||
| + | |<#eeeeee>| Phase | ||
| + | |- | ||
| + | | Receive bug report | ||
| + | |- | ||
| + | | Warn PTL of affected project, confirmation of impact | ||
| + | |} | ||
| + | |||
| + | === Coordinated disclosure === | ||
| − | + | {| border="1" cellpadding="2" cellspacing="0" | |
| + | |<#eeeeee>| Phase | ||
| + | |- | ||
| + | | Develop fix with original reporter, PTL (and a few other core developers if needed) | ||
| + | |- | ||
| + | | Get fix pre-approved by Core team | ||
| + | |- | ||
| + | | Communicate issue and fix to downstream users, define public disclosure date/time | ||
| + | |- | ||
| + | | At disclosure date: Get core developers ready, push fix to Gerrit and have them approve it | ||
| + | |- | ||
| + | | Distributions deploy fixes | ||
| + | |- | ||
| + | | Issue advisories | ||
Revision as of 13:48, 25 October 2011
Vulnerability Management
Vulnerabilities are handled by the OpenStack vulnerability management team.
This team is responsible for coordinating the progressive disclosure of a vulnerability:
Members of the team are independent and security-minded folks that will not give prior notice to their employer before other downstream users.
Process
From Encrypted email
| Phase |
| Receive encrypted email from original reporter |
| Warn PTL of affected project, confirmation of impact |
| Create security-restricted Launchpad bug entry |
From Launchpad bug entry
| Phase |
| Receive bug report |
| Warn PTL of affected project, confirmation of impact |
Coordinated disclosure
| Phase |
| Develop fix with original reporter, PTL (and a few other core developers if needed) |
| Get fix pre-approved by Core team |
| Communicate issue and fix to downstream users, define public disclosure date/time |
| At disclosure date: Get core developers ready, push fix to Gerrit and have them approve it |
| Distributions deploy fixes |
| Issue advisories |
