Jump to: navigation, search

Difference between revisions of "Vulnerability Management"

 
(This document has moved to security.openstack.org)
 
(57 intermediate revisions by 9 users not shown)
Line 1: Line 1:
 
__NOTOC__
 
__NOTOC__
= Vulnerability Management =
+
= [http://security.openstack.org/vmt-process.html Vulnerability Management] documentation has moved =
  
Vulnerabilities are handled by the OpenStack vulnerability management team.
+
to http://security.openstack.org/vmt-process.html but the entries below are retained for the benefit of older deep links, bookmarks and search engine indexing.
  
This team is responsible for coordinating the progressive disclosure of a vulnerability:
+
==== [http://security.openstack.org/vmt-process.html#supported-versions Supported versions] ====
 
+
==== [http://security.openstack.org/vmt-process.html#process Process] ====
# Getting PTL and key core developers on board with original reporter to develop a fix
+
==== [http://security.openstack.org/vmt-process.html#reception Reception] ====
# Warn public cloud providers and downstream distributions
+
==== [http://security.openstack.org/vmt-process.html#patch-development Patch development] ====
# Coordinate public disclosure with all affected parties
+
==== [http://security.openstack.org/vmt-process.html#patch-review Patch review] ====
 
+
==== [http://security.openstack.org/vmt-process.html#draft-impact-description Draft impact description] ====
Members of the team are independent and security-minded folks that will '''not''' give prior notice to their employer before other downstream users.
+
==== [http://security.openstack.org/vmt-process.html#review-impact-description Review impact description] ====
 +
==== [http://security.openstack.org/vmt-process.html#cve-assignment CVE assignment] ====
 +
==== [http://security.openstack.org/vmt-process.html#get-assigned-cve Get assigned CVE] ====
 +
==== [http://security.openstack.org/vmt-process.html#embargoed-disclosure Embargoed disclosure] ====
 +
==== [http://security.openstack.org/vmt-process.html#open-bug-push-patches Open bug, push patches] ====
 +
==== [http://security.openstack.org/vmt-process.html#publish-ossa Publish OSSA] ====
 +
==== [http://security.openstack.org/vmt-process.html#incident-report-taxonomy Incident report taxonomy] ====
 +
==== [http://security.openstack.org/vmt-process.html#extent-of-disclosure Extent of disclosure] ====
 +
==== [http://security.openstack.org/vmt-process.html#downstream-stakeholders Downstream stakeholders] ====
 +
==== [http://security.openstack.org/vmt-process.html#templates Templates] ====
 +
==== [http://security.openstack.org/vmt-process.html#reception-incomplete-message-unconfirmed-issues Reception Incomplete Message (unconfirmed issues)] ====
 +
==== [http://security.openstack.org/vmt-process.html#reception-embargo-reminder-private-issues Reception Embargo Reminder (private issues)] ====
 +
==== [http://security.openstack.org/vmt-process.html#impact-description-description Impact description ($DESCRIPTION)] ====
 +
==== [http://security.openstack.org/vmt-process.html#cve-request-email-private-issues CVE request email (private issues)] ====
 +
==== [http://security.openstack.org/vmt-process.html#cve-request-email-public-issues CVE request email (public issues)] ====
 +
==== [http://security.openstack.org/vmt-process.html#downstream-stakeholders-notification-email-private-issues Downstream stakeholders notification email (private issues)] ====
 +
==== [http://security.openstack.org/vmt-process.html#openstack-security-advisories OpenStack Security Advisories] ====

Latest revision as of 15:49, 14 April 2015

Vulnerability Management documentation has moved

to http://security.openstack.org/vmt-process.html but the entries below are retained for the benefit of older deep links, bookmarks and search engine indexing.

Supported versions

Process

Reception

Patch development

Patch review

Draft impact description

Review impact description

CVE assignment

Get assigned CVE

Embargoed disclosure

Open bug, push patches

Publish OSSA

Incident report taxonomy

Extent of disclosure

Downstream stakeholders

Templates

Reception Incomplete Message (unconfirmed issues)

Reception Embargo Reminder (private issues)

Impact description ($DESCRIPTION)

CVE request email (private issues)

CVE request email (public issues)

Downstream stakeholders notification email (private issues)

OpenStack Security Advisories

Retrieved from "https://wiki.openstack.org/w/index.php?title=Vulnerability_Management&oldid=77482"