Vulnerabilities are handled by the OpenStack vulnerability management team.
This team is responsible for coordinating the progressive disclosure of a vulnerability:
- Getting PTL and key core developers on board with original reporter to develop a fix
- Warn public cloud providers and downstream distributions
- Coordinate public disclosure with all affected parties
Members of the team are independent and security-minded folks that will not give prior notice to their employer before other downstream users.