Difference between revisions of "Vulnerability Management"
Line 4: | Line 4: | ||
Vulnerabilities are handled by the OpenStack vulnerability management team. | Vulnerabilities are handled by the OpenStack vulnerability management team. | ||
− | This team is responsible for coordinating the progressive disclosure of a vulnerability | + | This team is responsible for coordinating the progressive disclosure of a vulnerability. |
− | Members of the team are independent and security-minded folks that will '''not''' give prior notice to their employer before other downstream users. | + | Members of the team are independent and security-minded folks that will '''not''' give prior notice to their employer before other downstream users. Membership to the team is not about getting advance notice: it's about making sure vulnerabilities are handled in a quick, secure and fair way. |
== Process == | == Process == |
Revision as of 14:05, 25 October 2011
Vulnerability Management
Vulnerabilities are handled by the OpenStack vulnerability management team.
This team is responsible for coordinating the progressive disclosure of a vulnerability.
Members of the team are independent and security-minded folks that will not give prior notice to their employer before other downstream users. Membership to the team is not about getting advance notice: it's about making sure vulnerabilities are handled in a quick, secure and fair way.
Process
Each security bug is assigned a coordinator (member from the vulnerability management team) that will drive the fixing and disclosure process. Here are the steps to follow (depending on whether the entry comes from an encrypted mail or a Launchpad report), together with the width of disclosure at each step.
From Encrypted email
Phase |
Receive encrypted email from original reporter |
Warn PTL of affected project, confirmation of impact |
Create security-restricted Launchpad bug entry |
From Launchpad bug entry
Phase |
Receive bug report, assign coordinator |
Warn PTL of affected project, confirmation of impact |
Coordinated disclosure
Phase |
Develop fix with original reporter, PTL (and a few other core developers if needed) |
Get fix pre-approved by Core team |
Communicate issue and fix to downstream users, define public disclosure date/time |
At disclosure date: Get core developers ready, push fix to Gerrit and have them approve it |
Distributions deploy fixes |
Issue advisories |