Vulnerability Management
Revision as of 13:48, 25 October 2011 by ThierryCarrez (talk)
Vulnerability Management
Vulnerabilities are handled by the OpenStack vulnerability management team.
This team is responsible for coordinating the progressive disclosure of a vulnerability:
Members of the team are independent and security-minded folks that will not give prior notice to their employer before other downstream users.
Process
From Encrypted email
| Phase |
| Receive encrypted email from original reporter |
| Warn PTL of affected project, confirmation of impact |
| Create security-restricted Launchpad bug entry |
From Launchpad bug entry
| Phase |
| Receive bug report |
| Warn PTL of affected project, confirmation of impact |
Coordinated disclosure
| Phase |
| Develop fix with original reporter, PTL (and a few other core developers if needed) |
| Get fix pre-approved by Core team |
| Communicate issue and fix to downstream users, define public disclosure date/time |
| At disclosure date: Get core developers ready, push fix to Gerrit and have them approve it |
| Distributions deploy fixes |
| Issue advisories |
