Vulnerability Management
Vulnerability Management
Team
The OpenStack vulnerability management team is responsible for coordinating the progressive disclosure of a vulnerability.
Members of the team are independent and security-minded folks that will not give prior notice to their employer before other downstream users. Membership to the team is not about getting advance notice: it's about making sure vulnerabilities are handled in a quick, secure and fair way. In order to reduce the disclosure of vulnerability in the early stages, this team is voluntarily kept very small (maximum of 3 people).
Process
Each security bug is assigned a coordinator (member from the vulnerability management team) that will drive the fixing and disclosure process. Here are the steps to follow (depending on whether the entry comes from an encrypted mail or a Launchpad report), together with the width of disclosure at each step.
From Encrypted email
Phase |
Receive encrypted email from original reporter |
Warn PTL of affected project, confirmation of impact |
Create security-restricted Launchpad bug entry |
From Launchpad bug entry
Phase |
Receive bug report, assign coordinator |
Warn PTL of affected project, confirmation of impact |
Coordinated disclosure
Phase |
Develop fix with original reporter, PTL (and a few other core developers if needed) |
Get fix pre-approved by Core team |
Communicate issue and fix to downstream users, define public disclosure date/time |
At disclosure date: Get core developers ready, push fix to Gerrit and have them approve it |
Distributions deploy fixes |
Issue advisories, open bug |