Everyone - we’ve[1] noticed a commit recently that's related to improving the security of CloudStack (I’m referring to the timing attack commit).
We love seeing folks have an interest in the security of CloudStack - the one request we make is if you your work improves the security of ACS or patches a potential security vulnerability, shoot secur...@cloudstack.apache.org<mailto:secur...@cloudstack.apache.org> a quick note before you commit, submit code for review, or submit a pull request. We’ll take a quick peek and let you know if we’re OK with you continuing with your thing, or if we want to treat it as a formal security issue and run through the process at [2]. I do watch the commits and scan for a collection of keywords that could indicate issues, but would rather catch issues before they’re public. Thanks for all your efforts! John 1: (The secur...@cloudstack.apache.org<mailto:secur...@cloudstack.apache.org> “we”) 2: https://cloudstack.apache.org/security.html ps for the record, I’m not really worried about somebody leveraging a timing attack vulnerability so not too concerned about this case.
