Difference between revisions of "Vulnerability Management"
Line 9: | Line 9: | ||
== Process == | == Process == | ||
+ | |||
+ | Each security bug is assigned a ''coordinator'' (member from the vulnerability management team) that will drive the fixing and disclosure process. Here are the steps to follow (depending on whether the entry comes from an encrypted mail or a Launchpad report), together with the width of disclosure at each step. | ||
=== From Encrypted email === | === From Encrypted email === |
Revision as of 13:55, 25 October 2011
Vulnerability Management
Vulnerabilities are handled by the OpenStack vulnerability management team.
This team is responsible for coordinating the progressive disclosure of a vulnerability:
Members of the team are independent and security-minded folks that will not give prior notice to their employer before other downstream users.
Process
Each security bug is assigned a coordinator (member from the vulnerability management team) that will drive the fixing and disclosure process. Here are the steps to follow (depending on whether the entry comes from an encrypted mail or a Launchpad report), together with the width of disclosure at each step.
From Encrypted email
Phase |
Receive encrypted email from original reporter |
Warn PTL of affected project, confirmation of impact |
Create security-restricted Launchpad bug entry |
From Launchpad bug entry
Phase |
Receive bug report, assign coordinator |
Warn PTL of affected project, confirmation of impact |
Coordinated disclosure
Phase |
Develop fix with original reporter, PTL (and a few other core developers if needed) |
Get fix pre-approved by Core team |
Communicate issue and fix to downstream users, define public disclosure date/time |
At disclosure date: Get core developers ready, push fix to Gerrit and have them approve it |
Distributions deploy fixes |
Issue advisories |