OK - draft up at http://wiki.cloudstack.org/display/COMM/Draft%3A+Security+response+procedure
I think out of the 3 below, I like the OS and Eucalyptus pages the most, as the stress that security is important and will contact will be responded to quickly. Give feedback on the draft above - then let's talk next steps…I'd say we need a security list, a php key behind it, a security notification page somewhere on the CS site, and I wouldn't' mind seeing a twitter feed specifically for security announcements, as well... John On Jun 20, 2012, at 1:21 PM, Clement Chen wrote: > We should set up a dedicated channel for security issues and handle security > bugs carefully. > > Below are some of the examples: > > Apache HTTP Server Project: http://httpd.apache.org/security_report.html > OpenStack: http://openstack.org/projects/openstack-security/ > Eucalyptus: http://www.eucalyptus.com/eucalyptus-cloud/security/procedures > > -Clement > > -----Original Message----- > From: David Nalley [mailto:da...@gnsa.us] > Sent: Wednesday, June 20, 2012 12:59 PM > To: cloudstack-dev@incubator.apache.org > Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh > Subject: Re: Query regarding where to store encryption keys > > On Wed, Jun 20, 2012 at 3:50 PM, Ewan Mellor <ewan.mel...@eu.citrix.com> > wrote: >>> -----Original Message----- >>> From: David Nalley [mailto:da...@gnsa.us] >>> Sent: Wednesday, June 20, 2012 12:32 PM >>> To: cloudstack-dev@incubator.apache.org >>> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh >>> Subject: Re: Query regarding where to store encryption keys >>> >>> On Wed, Jun 20, 2012 at 3:15 PM, Vijayendra Bhamidipati >>> <vijayendra.bhamidip...@citrix.com> wrote: >>>> Hi Team, >>>> >>>> This is with reference to bug CS-15151 >>> (http://bugs.cloudstack.org/browse/CS-15151). I have some questions >>> and it would be great if you could share your knowledge and suggestions. >>>> >>> >>> >>> Why is that bug not publicly visible? >> >> Probably because it's highlighting a potential security hole. That seems >> like a reasonable precaution for the reporter to have taken. >> >> Would you like to handle these some other way? >> >> Ewan. >> > > That's a perfectly valid reason to keep it private, - though now the content > of the bug has been publicly discussed, so one wonders at the continued > utility of it being private. > > Perhaps it's a good time to segue to discussing how we wish to handle > security bugs, and get that documented. > > --David
