Difference between revisions of "Vulnerability Management"
Line 6: | Line 6: | ||
This team is responsible for coordinating the progressive disclosure of a vulnerability: | This team is responsible for coordinating the progressive disclosure of a vulnerability: | ||
− | # | + | Members of the team are independent and security-minded folks that will '''not''' give prior notice to their employer before other downstream users. |
− | # Warn | + | |
− | + | == Process == | |
+ | |||
+ | === From Encrypted email === | ||
+ | |||
+ | {| border="1" cellpadding="2" cellspacing="0" | ||
+ | |<#eeeeee>| Phase | ||
+ | |- | ||
+ | | Receive encrypted email from original reporter | ||
+ | |- | ||
+ | | Warn PTL of affected project, confirmation of impact | ||
+ | |- | ||
+ | | Create security-restricted Launchpad bug entry | ||
+ | |} | ||
+ | |||
+ | === From Launchpad bug entry === | ||
+ | |||
+ | {| border="1" cellpadding="2" cellspacing="0" | ||
+ | |<#eeeeee>| Phase | ||
+ | |- | ||
+ | | Receive bug report | ||
+ | |- | ||
+ | | Warn PTL of affected project, confirmation of impact | ||
+ | |} | ||
+ | |||
+ | === Coordinated disclosure === | ||
− | + | {| border="1" cellpadding="2" cellspacing="0" | |
+ | |<#eeeeee>| Phase | ||
+ | |- | ||
+ | | Develop fix with original reporter, PTL (and a few other core developers if needed) | ||
+ | |- | ||
+ | | Get fix pre-approved by Core team | ||
+ | |- | ||
+ | | Communicate issue and fix to downstream users, define public disclosure date/time | ||
+ | |- | ||
+ | | At disclosure date: Get core developers ready, push fix to Gerrit and have them approve it | ||
+ | |- | ||
+ | | Distributions deploy fixes | ||
+ | |- | ||
+ | | Issue advisories |
Revision as of 13:48, 25 October 2011
Vulnerability Management
Vulnerabilities are handled by the OpenStack vulnerability management team.
This team is responsible for coordinating the progressive disclosure of a vulnerability:
Members of the team are independent and security-minded folks that will not give prior notice to their employer before other downstream users.
Process
From Encrypted email
Phase |
Receive encrypted email from original reporter |
Warn PTL of affected project, confirmation of impact |
Create security-restricted Launchpad bug entry |
From Launchpad bug entry
Phase |
Receive bug report |
Warn PTL of affected project, confirmation of impact |
Coordinated disclosure
Phase |
Develop fix with original reporter, PTL (and a few other core developers if needed) |
Get fix pre-approved by Core team |
Communicate issue and fix to downstream users, define public disclosure date/time |
At disclosure date: Get core developers ready, push fix to Gerrit and have them approve it |
Distributions deploy fixes |
Issue advisories |