Difference between revisions of "Vulnerability Management"
Line 27: | Line 27: | ||
|<#eeeeee>| Phase | |<#eeeeee>| Phase | ||
|- | |- | ||
− | | Receive bug report | + | | Receive bug report, assign coordinator |
|- | |- | ||
| Warn PTL of affected project, confirmation of impact | | Warn PTL of affected project, confirmation of impact |
Revision as of 13:53, 25 October 2011
Vulnerability Management
Vulnerabilities are handled by the OpenStack vulnerability management team.
This team is responsible for coordinating the progressive disclosure of a vulnerability:
Members of the team are independent and security-minded folks that will not give prior notice to their employer before other downstream users.
Process
From Encrypted email
Phase |
Receive encrypted email from original reporter |
Warn PTL of affected project, confirmation of impact |
Create security-restricted Launchpad bug entry |
From Launchpad bug entry
Phase |
Receive bug report, assign coordinator |
Warn PTL of affected project, confirmation of impact |
Coordinated disclosure
Phase |
Develop fix with original reporter, PTL (and a few other core developers if needed) |
Get fix pre-approved by Core team |
Communicate issue and fix to downstream users, define public disclosure date/time |
At disclosure date: Get core developers ready, push fix to Gerrit and have them approve it |
Distributions deploy fixes |
Issue advisories |